Published:2026/05/25 Last Updated:2026/05/25
JVN#80890147
NEC Aterm series vulnerable to OS command injection (NV26-003)
Overview
NEC Aterm series products provided by NEC Corporation contain an OS command injection vulnerability.
Products Affected
- MR51FN versions prior to Ver.3.4.0
- CM51FD versions prior to Ver.1.2.0
Description
NEC Aterm series products provided by NEC Corporation contain the following vulnerability.
- OS command injection (CWE-78)
- CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.5
- CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.8
- CVE-2026-8652
Impact
An arbitrary OS command may be executed by an attacker who can log in to the web console as an administrator.
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
So Kato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2026-000079 |
Update History
- 2026/05/25
- Information under the section [Description] was updated