Published:2023/05/16  Last Updated:2023/06/09

OS command injection vulnerability in Inaba Denki Sangyo Wi-Fi AP UNIT


Wi-Fi AP UNIT provided by Inaba Denki Sangyo Co., Ltd. contains an OS command injection vulnerability.

Products Affected

  • AC-PD-WAPU v1.05_B04 and earlier
  • AC-PD-WAPUM v1.05_B04 and earlier
  • AC-PD-WAPU-P v1.05_B04P and earlier
  • AC-PD-WAPUM-P v1.05_B04P and earlier
  • AC-WAPU-300 v1.00_B07 and earlier
  • AC-WAPUM-300 v1.00_B07 and earlier
  • AC-WAPU-300-P v1.00_B08P and earlier
  • AC-WAPUM-300-P v1.00_B08P and earlier


Wi-Fi AP UNIT provided by Inaba Denki Sangyo Co., Ltd. contains an OS command injection vulnerability (CWE-78).


An arbitrary OS command may be executed by an authenticated user with the administrative privilege.


Apply the workaround
The developer states that these products are no longer supported and recommends the following mitigations.

  • Change the initial configuration values
    • Change IP address
  • Change device operation setting
    • Prohibit access to the WEB UI (the setting page) from WAN/Wireless interface (Only allow through the front LAN port)
  • Change filtering configuration
    • Set the MAC address of the client to allow wireless connection
    • Configure VPN, IP filters, etc. to restrict connections from the client
  • Other Cautions
    • Setup a firewall and run the product behind it
    • Do not access to other websites while logged into the setting page of the product
    • Close the web browser after finishing the operation in the setting page
    • Delete the password for the setting page saved in the web browser

Vendor Status


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 7.2
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 6.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2023-28392
JVN iPedia

Update History

Information under the section [Products Affected], [Impact], [Solution] and [Vendor Status] was updated