JVN#89339669: Multiple vulnerabilities in NEC Aterm series (NV26-001)

Overview

Aterm series products provided by NEC Corporation contain multiple vulnerabilities.

Products Affected

Multiple Aterm models are affected.
Refer to the advisory provided by NEC for the detailed information.

Description

Aterm series products provided by NEC Corporation contain multiple vulnerabilities listed below.

Missing authorization (CWE-862)
- CVE-2026-4309
Path traversal (CWE-22)
- CVE-2026-4619
OS command injection (CWE-78)
- CVE-2026-4620, CVE-2026-4622
Hidden functionality (CWE-912)
- CVE-2026-4621

Impact

Some device specific information may be retrieved, resulting to unintended change of the settings (CVE-2026-4309)
Arbitrary files on the affected device may be overwritten (CVE-2026-4619)
Arbitrary OS commands may be executed on the affected device (CVE-2026-4620, CVE-2026-4622)
telnet service may be enabled (CVE-2026-4621)

Solution

The solution varies depending on the models.
For more information, refer to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
NEC Corporation	Vulnerable	2026/04/03

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

The vulnerabilities are reported from the following people, and JPCERT/CC coordinated with the developer.

CVE-2026-4309
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.

CVE-2026-4619, CVE-2026-4620, CVE-2026-4621, CVE-2026-4622
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia	JVNDB-2026-000049

JVN#89339669 Multiple vulnerabilities in NEC Aterm series (NV26-001)