JVN#49899607
NCP-HG100 vulnerable to OS command injection
Overview
NCP-HG100 provided by Sony Network Communications Inc. and used in MANOMA service contains an OS command injection vulnerability.
Products Affected
- NCP-HG100/Cellular model firmware versions 1.4.48.16 and earlier
- NCP-HG100/WLAN model firmware versions 1.4.48.16 and earlier
Description
NCP-HG100 provided by Sony Network Communications Inc. and used in MANOMA service contains the following vulnerability.
- OS command injection (CWE-78)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.6
- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
- CVE-2025-64444
Impact
A remote attacker who has obtained the authentication information to log in to the management page of the product may execute an arbitrary OS command with root privileges.
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
The developer has released the following updates to address this vulnerability.
- NCP-HG100/Cellular model firmware version 1.4.48.17
- NCP-HG100/WLAN model firmware version 1.4.48.17
Vendor Status
| Vendor | Link |
| Sony Network Communications Inc. | Regarding the firmware update for the MANOMA AI Home Gateway (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
HIROKI IMAI of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-64444 |
| JVN iPedia |
JVNDB-2025-000105 |