Published:2021/01/04  Last Updated:2021/03/25

Multiple vulnerabilities in UNIVERGE SV9500/SV8500 series


UNIVERGE SV9500/SV8500 series provided by NEC Platforms, Ltd. contain multiple vulnerabilities.

Products Affected

  • UNIVERGE SV9500 series from V1 to V7
  • UNIVERGE SV8500 series from S6 to S8


Remote system maintenance feature of UNIVERGE SV9500/SV8500 series' Web based remote maintenance console contains multiple vulnerabilities listed below.

  • OS Command Injection (CWE-78) - CVE-2020-5685
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score: 9.6
    CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P Base Score: 5.8
  • Incorrect Implementation of Authentication Algorithm (CWE-303) - CVE-2020-5686
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Base Score: 7.6
    CVSS v2 AV:A/AC:L/Au:N/C:P/I:P/A:P Base Score: 5.8


  • If an attacker who can access the device sends a specially crafted request to a specific URL, an arbitrary command may be executed or a denial-of-service (DoS) condition may be caused - CVE-2020-5685
  • If an attacker who can access the device sends a specially crafted request to a specific URL, the remote system maintenance feature may be accessed illegally and information may be disclosed - CVE-2020-5686


Update the Software
Update to the software according to the information provided by the developer.
Contact your product dealer for details of the update.

Apply the workarounds
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

  • Do not directly connect the products to an external network such as the Internet.
  • Explicitly create an access rule based on source IP addresses/destination IP addresses/port numbers for network connection to the products.

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Platforms, Ltd. Vulnerable 2021/01/04


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC


NEC Platforms, Ltd. reported these vulnerabilities to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2020-5685
JVN iPedia JVNDB-2021-000001

Update History

Information under [Credit] was updated.