Description
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network.
Published: 2026-03-27
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Changes and Device Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A missing authorization check in NEC Platforms Aterm series routers allows an attacker who can reach the device through its network interfaces to retrieve detailed device information and modify configuration settings, all without valid credentials. This vulnerability can lead to unauthorized alteration of router behavior or exposure of sensitive device data. The weakness is classified as a missing authorization error.

Affected Systems

NEC Platforms Aterm Series routers, including models W1200EX, WF1200CR, WG1200CR, WG1200HP2 to HP4, WG1200HS2 to HS4, WG1800HP3 to HP4, WG1900HP to HP2, WG2600HM4 to HS2, and WX1500HP to WX3600HP. No specific firmware or version details are provided, so the entire model range may be affected.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to have network connectivity to the router, which could be local or remote if the device is exposed. No public exploitation data or known scripts are documented, so the current risk depends on the exposure of the router and the presence of an update to address the issue.

Generated by OpenCVE AI on March 27, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by NEC for the affected Aterm models
  • If no update is available, disable or block external management interfaces and restrict internal access to the router configuration pages
  • Change default administrative credentials and enforce strong passwords
  • Configure firewall rules to limit management access to trusted IP addresses
  • Monitor router logs for unauthorized configuration changes

Generated by OpenCVE AI on March 27, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Missing Authorization Enables Unauthorized Retrieval and Modification on NEC Aterm Routers

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network.
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NEC

Published:

Updated: 2026-03-27T12:15:32.249Z

Reserved: 2026-03-17T01:53:09.153Z

Link: CVE-2026-4309

cve-icon Vulnrichment

Updated: 2026-03-27T12:15:26.979Z

cve-icon NVD

Status : Received

Published: 2026-03-27T12:16:20.370

Modified: 2026-03-27T12:16:20.370

Link: CVE-2026-4309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T15:47:06Z

Weaknesses