JVNDB-2022-000016

UNIVERGE WA Series vulnerable to OS command injection

UNIVERGE WA Series provided by NEC Platforms, Ltd. contains an OS command injection vulnerability.

Remote system maintenance feature of UNIVERGE WA series "Local maintenance console/Remote maintenance console/Web based remote console maintenance" contains an OS command injection vulnerability (CWE-78).

NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.

NEC Platforms, Ltd.

• UNIVERGE WA Series Ver8.2.11 and eariler

If an attacker who can access the product sends specific character strings or a specially crafted request to a specific URL, an arbitrary command may be executed or a denial-of-service (DoS) condition may be caused.

[Update the Software]
Update the software to the appropriate version according to the information provided by the developer.

• UNIVERGE WA Series Ver8.2.13 and later

To obtain the update, contact the sales representative where you purchased the product.

[Apply the workarounds]
Applying the following workarounds may mitigate the impacts of this vulnerability.

• Explicitly create an access rule based on source IP addresses/destination IP addresses/port numbers for network connections to the product.


• Change a user name and a password for ID/password authentication from initial settings to prevent unauthorized login attemps from a malicious user.


• Set the password with a strong string (8 or more characters, mixed case/number is recommended).

NEC Platforms, Ltd.

• NEC Platforms, Ltd. : UNIVERGE WA Series vulnerable to OS command injection Status:Vulnerable

1. OS Command Injection(CWE-78) [IPA Evaluation]

1. CVE-2022-25621

1. JVN : JVN#72801744
2. National Vulnerability Database (NVD) : CVE-2022-25621

• [2022/03/10]
    Web page was published