Published:2024/08/05  Last Updated:2024/08/05

JVN#70666401
Multiple vulnerabilities in ZEXELON ZWX-2000CSW2-HN

Overview

ZWX-2000CSW2-HN provided by ZEXELON CO., LTD. contains multiple vulnerabilities.

Products Affected

  • ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15

Description

ZWX-2000CSW2-HN provided by ZEXELON CO., LTD. is a high-speed coaxial modem with wireless LAN functions. ZWX-2000CSW2-HN contains multiple vulnerabilities listed below.

  • Use of hard-coded credentials (CWE-798)
    • CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Base Score 4.5
    • CVE-2024-39838
  • Incorrect permission assignment for critical resource (CWE-732)
    • CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.0
    • CVE-2024-41720

Impact

An attacker may alter the configuration of the device.

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
ZEXELON CO., LTD. Multiple vulnerabilities and countermeasures in high-speed coaxial modems with wireless LAN function (parent and child common models) (PDF, Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Hiroki Sato of Tokyo Institute of Technology reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-39838
CVE-2024-41720
JVN iPedia JVNDB-2024-000084