Published:2022/03/10  Last Updated:2022/03/10

UNIVERGE WA Series vulnerable to OS command injection


UNIVERGE WA Series provided by NEC Platforms, Ltd. contains an OS command injection vulnerability.

Products Affected

  • UNIVERGE WA Series Ver8.2.11 and eariler


Remote system maintenance feature of UNIVERGE WA series "Local maintenance console/Remote maintenance console/Web based remote console maintenance" contains an OS command injection vulnerability (CWE-78).


If an attacker who can access the product sends specific character strings or a specially crafted request to a specific URL, an arbitrary command may be executed or a denial-of-service (DoS) condition may be caused.


Update the Software
Update the software to the appropriate version according to the information provided by the developer.

  • UNIVERGE WA Series Ver8.2.13 and later
To obtain the update, contact the sales representative where you purchased the product.

Apply the workarounds
Applying the following workarounds may mitigate the impacts of this vulnerability.
  • Explicitly create an access rule based on source IP addresses/destination IP addresses/port numbers for network connections to the product.
  • Change a user name and a password for ID/password authentication from initial settings to prevent unauthorized login attemps from a malicious user.
  • Set the password with a strong string (8 or more characters, mixed case/number is recommended).

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Platforms, Ltd. Vulnerable 2022/03/10


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 5.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2022-25621
JVN iPedia JVNDB-2022-000016