Published:2025/11/07  Last Updated:2025/11/07

JVN#59387134
CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to OS command injection

Overview

CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an OS command injection vulnerability.

Products Affected

  • CLUSTERPRO X 4.0 for Linux
  • EXPRESSCLUSTER X 4.0 for Linux
  • CLUSTERPRO X 4.1 for Linux
  • EXPRESSCLUSTER X 4.1 for Linux
  • CLUSTERPRO X 4.2 for Linux
  • EXPRESSCLUSTER X 4.2 for Linux
  • CLUSTERPRO X 4.3 for Linux
  • EXPRESSCLUSTER X 4.3 for Linux
  • CLUSTERPRO X 5.0 for Linux
  • EXPRESSCLUSTER X 5.0 for Linux
  • CLUSTERPRO X 5.1 for Linux
  • EXPRESSCLUSTER X 5.1 for Linux
  • CLUSTERPRO X 5.2 for Linux
  • EXPRESSCLUSTER X 5.2 for Linux
  • CLUSTERPRO X SingleServerSafe 4.0 for Linux
  • EXPRESSCLUSTER X SingleServerSafe 4.0 for Linux
  • CLUSTERPRO X SingleServerSafe 4.1 for Linux
  • EXPRESSCLUSTER X SingleServerSafe 4.1 for Linux
  • CLUSTERPRO X SingleServerSafe 4.2 for Linux
  • EXPRESSCLUSTER X SingleServerSafe 4.2 for Linux
  • CLUSTERPRO X SingleServerSafe 4.3 for Linux
  • EXPRESSCLUSTER X SingleServerSafe 4.3 for Linux
  • CLUSTERPRO X SingleServerSafe 5.0 for Linux
  • EXPRESSCLUSTER X SingleServerSafe 5.0 for Linux
  • CLUSTERPRO X SingleServerSafe 5.1 for Linux
  • EXPRESSCLUSTER X SingleServerSafe 5.1 for Linux
  • CLUSTERPRO X SingleServerSafe 5.2 for Linux
  • EXPRESSCLUSTER X SingleServerSafe 5.2 for Linux

Description

CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain the following vulnerability.

  • OS command injection (CWE-78)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
    • CVE-2025-11546

Impact

A specially crafted packet sent by an attacker could cause arbitrary OS command execution in the affected products without authentication.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Apply the workarounds
Apply the following workarounds to avoid the impacts of this vulnerability.

  • Enable a firewall and block unnecessary packets
  • Accept connection requests for the following ports only from the hosts belonging to the cluster:
    • ​Data transfer (Default: 29002)
For more details, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Corporation Vulnerable 2025/11/07

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2025-000102