Published:2018/09/13  Last Updated:2018/09/13

Multiple FXC network devices vulnerable to cross-site scripting


Multiple FXC network devices contain a cross-site scripting vulnerability.

Products Affected

  • Managed Ethernet switch FXC5210/5218/5224 firmware prior to version Ver1.00.22
  • Managed Ethernet switch FXC5426F firmware prior to version Ver1.00.06
  • Managed Ethernet switch FXC5428 firmware prior to version Ver1.00.07
  • Power over Ethernet (PoE) switch FXC5210PE/5218PE/5224PE firmware prior to version Ver1.00.14
  • Wireless LAN router AE1021/AE1021PE firmware all versions


Multiple network devices provided by FXC Inc. contain a stored cross-site scripting vulnerability (CWE-79).


If an attacker with administrative rights logs in the Management GUI and embeds a specially crafted script, then that script may be executed on another administrator's web browser.


Solution for Managed Ethernet switch and Power over Ethernet (PoE) switch:
Update the Firmware
Apply the appropriate firmware update according to the information provided by the developer.

Solution for Wireless LAN router:
Apply Workaround
The following workaround may mitigate the impact of this vulnerability.

  • Restrict access to Management CGI of the device. Permit access only to trusted administrators.

Vendor Status

Vendor Status Last Update Vendor Notes
FXC Inc. Vulnerable 2018/09/13 FXC Inc. website


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 4.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 2.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


SUNAGAWA, Masanori of Japan Advanced Institute of Science and Technology Graduate School of Advanced Science and Technology Security and Networks reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2018-0679
JVN iPedia JVNDB-2018-000097