UNIVERGE WA Series vulnerable to OS command injection


UNIVERGE WA Series provided by NEC Platforms, Ltd. contains an OS command injection vulnerability.

Remote system maintenance feature of UNIVERGE WA series "Local maintenance console/Remote maintenance console/Web based remote console maintenance" contains an OS command injection vulnerability (CWE-78).

NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

NEC Platforms, Ltd.
  • UNIVERGE WA Series Ver8.2.11 and eariler


If an attacker who can access the product sends specific character strings or a specially crafted request to a specific URL, an arbitrary command may be executed or a denial-of-service (DoS) condition may be caused.

[Update the Software]
Update the software to the appropriate version according to the information provided by the developer.

  • UNIVERGE WA Series Ver8.2.13 and later

To obtain the update, contact the sales representative where you purchased the product.

[Apply the workarounds]
Applying the following workarounds may mitigate the impacts of this vulnerability.

  • Explicitly create an access rule based on source IP addresses/destination IP addresses/port numbers for network connections to the product.

  • Change a user name and a password for ID/password authentication from initial settings to prevent unauthorized login attemps from a malicious user.

  • Set the password with a strong string (8 or more characters, mixed case/number is recommended).
Vendor Information

NEC Platforms, Ltd.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-25621

  1. JVN : JVN#72801744
Revision History

  • [2022/03/10]
      Web page was published