Published:2025/07/16  Last Updated:2025/07/16

JVN#44419726
ZWX-2000CSW2-HN and ZWX-2000CS2-HN vulnerable to use of hard-coded credentials

Overview

ZWX-2000CSW2-HN and ZWX-2000CS2-HN provided by ZEXELON CO., LTD. contain a use of hard-coded credentials vulnerability.

Products Affected

  • ZWX-2000CSW2-HN firmware versions prior to 0.3.19
  • ZWX-2000CS2-HN firmware all versions

Description

ZWX-2000CSW2-HN and ZWX-2000CS2-HN provided by ZEXELON CO., LTD. contain the following vulnerability.

  • Use of Hard-coded Credentials (CWE-798)
    • CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.8
    • CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Base Score 4.5
    • CVE-2025-53842
This vulnerability is caused by an insufficient fix for CVE-2024-39838 (JVN#70666401).

Impact

An attacker may tamper with the settings of the device by obtaining the credentials.

Solution

ZWX-2000CSW2-HN
Update the firmware
Update the firmware to the latest version and check and change the settings according to the information provided by the developer.

ZWX-2000CS2-HN
Apply the workaround
Check and change the settings according to the information provided by the developer.

References

  1. JVN#70666401
    Multiple vulnerabilities in ZEXELON ZWX-2000CSW2-HN

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Hiroki Sato of Institute of Science Tokyo reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-53842
JVN iPedia JVNDB-2025-000049