UNIVERGE Aspire series PBX vulnerable to denial-of-service (DoS)


Remote system maintenance feature of UNIVERGE Aspire series PBX contain an issue in handling commands, which may cause a denial-of-service (DoS).

NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.1 (Low) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 3.5 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products

NEC Platforms, Ltd.
  • SL2100 from 1.00 to 3.00
  • UNIVERGE Aspire UX from 1.00 to 9.70
  • UNIVERGE Aspire WX from 1.00 to 3.51
  • UNIVERGE SV9100 from 1.00 to 10.70


An attacker may cause system down and reboot of the products by sending a specially crafted command.

[Update the Software]
Update to the latest version according to the information provided by the developer.
The developer has released the following versions.
*UNIVERGE Aspire UX 9.80 or the later
*UNIVERGE Aspire WX 4.00 or the later
*UNIVERGE SV9100 11.00 or the later
*SL2100 3.10 or the later

[Apply Workarounds]
The following workarounds may mitigate the affects of this vulnerability.
*Disable the remote system maintenance feature.
*Do not directly connect the products to an external network such as the Internet.
Note that the products' remote system maintenance feature is disabled by default.
Vendor Information

NEC Platforms, Ltd.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20677

  1. JVN : JVN#12737530
Revision History

  • [2021/03/22]
      Web page was published