Published:2025/03/19  Last Updated:2025/03/19

JVN#04278547
Multiple vulnerabilities in home gateway HGW-BL1500HM

Overview

Home gateway HGW-BL1500HM provided by KDDI CORPORATION contains multiple vulnerabilities.

Products Affected

  • HGW-BL1500HM Ver 002.002.003 and earlier

Description

Home gateway HGW-BL1500HM provided by KDDI CORPORATION contains multiple vulnerabilities listed below.

  • Stored cross-site scripting in the NickName registration screen (CWE-79)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2025-27567
  • Stored cross-site scripting in the USB storage file-sharing function (CWE-79)
    • CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 3.6
    • CVE-2025-27574
  • Path traversal in the file/folder listing process of the USB storage file-sharing function (CWE-22)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score 6.5
    • CVE-2025-27716
  • Path traversal in the file upload process of the USB storage file-sharing function (CWE-22)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
    • CVE-2025-27718
  • Path traversal in the file download process of the USB storage file-sharing function (CWE-22)
    • CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score 2.1
    • CVE-2025-27726
  • Path traversal in the file deletion process of the USB storage file-sharing function (CWE-22)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Base Score 8.1
    • CVE-2025-27932

Impact

  • An arbitrary script may be executed on the web browser of the user who is using the configuration page or functions accessible only from the LAN side of the product (CVE-2025-27567, CVE-2025-27574)
  • The product's files may be obtained and/or altered or arbitrary code may be executed by unauthorized access to specific functions of the product from a device connected to the LAN side (CVE-2025-27716, CVE-2025-27718, CVE-2025-27726)
  • An attacker may delete a file on the device or cause a denial of service (DoS) condition (CVE-2025-27932)

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
KDDI Technology Vulnerability Response (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Huiseong Seo reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-27567
CVE-2025-27574
CVE-2025-27716
CVE-2025-27718
CVE-2025-27726
CVE-2025-27932
JVN iPedia JVNDB-2025-000018