[Japanese]

JVNDB-2025-000079

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation vulnerable to cross-site scripting

Overview

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains the following vulnerability.
  • Cross-site scripting (CWE-79) - CVE-2025-8153

RyotaK of GMO Flatt Security Inc. reported this vulnerability to NEC Corporation and coordinated.
After the coordination was completed, NEC Corporation reported the case to IPA to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


NEC Corporation
  • UNIVERGE IX series
  • UNIVERGE IX-R/IX-V series

As for the details of affected product names and versions, refer to the information provided by the developer.
Impact

If a user accesses a crafted URL, an arbitrary script may be executed on the user's web browser.
Moreover, if the victim user is logging in to the UNIVERGE IX series WebGUI, the script may interact with the product to execute any CLI commands with the user's privilege.
Solution

[Update the Software]
Apply the appropriate update according to the information provided by the developer.

[Apply the workaround]
If the update cannot be applied for some reason, disable the affected product's WebGUI.

For more details, refer to the information provided by the developer.
Vendor Information

NEC Corporation
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-8153
References

  1. JVN : JVN#95938761
Revision History

  • [2025/09/18]
      Web page was published

Date Public2025/09/18
Date First Published2025/09/18
Date Last Updated2025/09/18