Yamaha wireless LAN access point devices vulnerable to active debug code


Active debug code (CWE-489) exists in wireless LAN access point devices provided by Yamaha Corporation.
The debug function can be enabled by performing specific operations.

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.2 (Medium) [Other]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Yamaha Corporation
  • WLX202 firmware Rev.16.00.18 and earlier
  • WLX212 firmware Rev.21.00.12 and earlier
  • WLX222 firmware Rev.24.00.03 and earlier
  • WLX313 firmware Rev.18.00.12 and earlier
  • WLX413 firmware Rev.22.00.05 and earlier


If a logged-in user who knows how to use the debug function accesses the device's management page, this function can be enabled by performing specific operations and as a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered.

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

Yamaha Corporation
CWE (What is CWE?)

  1. Active Debug Code(CWE-489) [Other]
CVE (What is CVE?)

  1. CVE-2024-22366

  1. JVN : JVNVU#99896362
  2. National Vulnerability Database (NVD) : CVE-2024-22366
Revision History

  • [2024/01/24]
      Web page was published
  • [2024/03/13]
      References : Content was added