[Japanese]

JVNDB-2026-000049

Multiple vulnerabilities in NEC Aterm series (NV26-001)

Overview

Aterm series products provided by NEC Corporation contain multiple vulnerabilities listed below.
  • Missing authorization (CWE-862) - CVE-2026-4309
  • Path traversal (CWE-22) - CVE-2026-4619
  • OS command injection (CWE-78) - CVE-2026-4620, CVE-2026-4622
  • Hidden functionality (CWE-912) - CVE-2026-4621
The vulnerabilities are reported from the following people, and JPCERT/CC coordinated with the developer.

CVE-2026-4309
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.

CVE-2026-4619, CVE-2026-4620, CVE-2026-4621, CVE-2026-4622
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
CVSS Severity (What is CVSS?)

Affected Products


NEC Corporation
  • (multiple product)

Multiple Aterm models are affected.
Refer to the advisory provided by NEC for the detailed information.
Impact

  • Some device specific information may be retrieved, resulting to unintended change of the settings (CVE-2026-4309)
  • Arbitrary files on the affected device may be overwritten (CVE-2026-4619)
  • Arbitrary OS commands may be executed on the affected device (CVE-2026-4620, CVE-2026-4622)
  • telnet service may be enabled (CVE-2026-4621)
Solution

The solution varies depending on the models.
For more information, refer to the information provided by the developer.
Vendor Information

NEC Corporation
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
  2. OS Command Injection(CWE-78) [IPA Evaluation]
  3. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-4309
  2. CVE-2026-4619
  3. CVE-2026-4620
  4. CVE-2026-4621
  5. CVE-2026-4622
References

  1. JVN : JVN#89339669
Revision History

  • [2026/04/03]
      Web page was published

Date Public2026/04/03
Date First Published2026/04/03
Date Last Updated2026/04/03