Rakuten WiFi Pocket vulnerable to improper authentication


Rakuten WiFi Pocket provided by Rakuten Mobile, Inc. is a mobile router.
Management Screen of Rakuten WiFi Pocket contains an improper authentication vulnerability (CWE-287).

Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.1 (Low) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.9 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Rakuten Mobile, Inc.
  • Rakuten WiFi Pocket all versions

Note that Rakuten WiFi Pocket 2B and Rakuten WiFi Pocket 2C are not affected by this vulnerability.

An attacker who can access the product may log in to the product's Management Screen. As a result, sensitive information may be obtained and/or the settings may be changed.

[Stop using the product and Switch to alternative products]
The developer states that the affected product is no longer supported, and recommends to use alternative products.
For more information, refer to the information provided by the developer.
Vendor Information

Rakuten Mobile, Inc.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-40282

  1. JVN : JVN#55217369
  2. National Vulnerability Database (NVD) : CVE-2023-40282
Revision History

  • [2023/08/23]
      Web page was published
  • [2024/03/27]
      References : Content was added