JVN#95938761
UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation vulnerable to cross-site scripting
Overview
UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains a cross-site scripting vulnerability.
Products Affected
- UNIVERGE IX series
- UNIVERGE IX-R/IX-V series
Description
UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains the following vulnerability.
- Cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2025-8153
Impact
If a user accesses a crafted URL, an arbitrary script may be executed on the user's web browser.
Moreover, if the victim user is logging in to the UNIVERGE IX series WebGUI, the script may interact with the product to execute any CLI commands with the user's privilege.
Solution
Update the Software
Apply the appropriate update according to the information provided by the developer.
Apply the workaround
If the update cannot be applied for some reason, disable the affected product's WebGUI.
For more details, refer to the information provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
RyotaK of GMO Flatt Security Inc. reported this vulnerability to NEC Corporation and coordinated.
After the coordination was completed, NEC Corporation reported the case to IPA to notify users of the solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2025-000079 |