Description
OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network.
Published: 2026-03-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an OS command injection that lets an attacker run arbitrary OS commands on the router through network inputs. The primary impact is remote code execution, allowing full system compromise or control of the device. This weakness is a CWE-78 type injection.

Affected Systems

Affected systems include NEC Platforms, Ltd. routers Aterm WX1500HP and Aterm WX3600HP. The vulnerability affects all firmware versions installed on these devices; specific version numbers are not supplied.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. No EPSS score is provided and the vulnerability is not listed in the KEV catalog, suggesting it is not yet widely exploited. The likely attack vector is over the network, where an attacker crafts input that is executed by the operating system with command‑execution privileges.

Generated by OpenCVE AI on March 27, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review the NEC security advisory and apply the latest firmware update that addresses the command injection.
  • If a patch is not immediately available, block external access to the router’s management interface by configuring firewall rules or isolating the device from untrusted networks.
  • Disable any unnecessary services and change default credentials to enforce strong passwords.
  • Monitor device logs for suspicious command execution attempts and investigate any anomalies promptly.

Generated by OpenCVE AI on March 27, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Nec aterm Wx1500hp Firmware
Nec aterm Wx3600hp Firmware
CPEs cpe:2.3:h:nec:aterm_wx1500hp:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wx3600hp:-:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wx1500hp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wx3600hp_firmware:*:*:*:*:*:*:*:*
Vendors & Products Nec aterm Wx1500hp Firmware
Nec aterm Wx3600hp Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Nec
Nec aterm Wx1500hp
Nec aterm Wx3600hp
Vendors & Products Nec
Nec aterm Wx1500hp
Nec aterm Wx3600hp

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection via Network on NEC Aterm Routers

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nec Aterm Wx1500hp Aterm Wx1500hp Firmware Aterm Wx3600hp Aterm Wx3600hp Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: NEC

Published:

Updated: 2026-04-10T04:13:14.137Z

Reserved: 2026-03-23T06:04:47.524Z

Link: CVE-2026-4620

cve-icon Vulnrichment

Updated: 2026-03-27T12:47:59.442Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T12:16:20.757

Modified: 2026-04-20T15:19:10.070

Link: CVE-2026-4620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:59:42Z

Weaknesses