Description
OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network.
Published: 2026-03-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

An OS Command Injection flaw permits an attacker to run arbitrary operating‑system commands on NEC’s Aterm series devices through a network interface. The vulnerability is a classic command injection (CWE‑78) that can be leveraged to compromise confidentiality, integrity, and availability of the affected devices, potentially giving attackers full administrative control over the network equipment.

Affected Systems

The security issue affects NEC Platforms, Ltd. Aterm networking devices, including the WF1200CR, WG1200CR, WG2600HM4, WG2600HP4, WG2600HS, WG2600HS2, WX3000HP, and WX3000HP2 models. No specific firmware or hardware version details are listed in the advisory, so any device after the initial release may be at risk until a vendor update is applied.

Risk and Exploitability

The CVSS score of 7.1 underscores a high severity, and the exploit is network‑based, meaning an attacker only needs connectivity to the device’s management or configuration interface. While the EPSS score is not available and the vulnerability is not in CISA's KEV catalog, the potential impact warrants prompt remediation. The advisory does not detail an exploit in the wild, but the known vector and high score suggest the issue should be treated as credible.

Generated by OpenCVE AI on March 27, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest firmware update from NEC’s security portal.
  • Verify that the update contains a fix for the command injection flaw before deployment.
  • If a firmware update is unavailable, disable remote management interfaces unless required for business operations.
  • Ensure that all administrative credentials are unique, strong, and changed regularly.
  • Regularly monitor device logs for evidence of unauthorized command execution.

Generated by OpenCVE AI on March 27, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Nec aterm Gb1200pe
Nec aterm Gb1200pe Firmware
Nec aterm Wf1200cr Firmware
Nec aterm Wg1200cr Firmware
Nec aterm Wg2600hm4 Firmware
Nec aterm Wg2600hp4 Firmware
Nec aterm Wg2600hs2 Firmware
Nec aterm Wg2600hs Firmware
Nec aterm Wx3000hp2 Firmware
Nec aterm Wx3000hp Firmware
CPEs cpe:2.3:h:nec:aterm_gb1200pe:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wf1200cr:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wg1200cr:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wg2600hm4:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wg2600hp4:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wg2600hs2:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wg2600hs:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wx3000hp2:-:*:*:*:*:*:*:*
cpe:2.3:h:nec:aterm_wx3000hp:-:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_gb1200pe_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wf1200cr_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wg1200cr_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wg2600hm4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wg2600hp4_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wg2600hs2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wg2600hs_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wx3000hp2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nec:aterm_wx3000hp_firmware:*:*:*:*:*:*:*:*
Vendors & Products Nec aterm Gb1200pe
Nec aterm Gb1200pe Firmware
Nec aterm Wf1200cr Firmware
Nec aterm Wg1200cr Firmware
Nec aterm Wg2600hm4 Firmware
Nec aterm Wg2600hp4 Firmware
Nec aterm Wg2600hs2 Firmware
Nec aterm Wg2600hs Firmware
Nec aterm Wx3000hp2 Firmware
Nec aterm Wx3000hp Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Nec
Nec aterm Wf1200cr
Nec aterm Wg1200cr
Nec aterm Wg2600hm4
Nec aterm Wg2600hp4
Nec aterm Wg2600hs
Nec aterm Wg2600hs2
Nec aterm Wx3000hp
Nec aterm Wx3000hp2
Vendors & Products Nec
Nec aterm Wf1200cr
Nec aterm Wg1200cr
Nec aterm Wg2600hm4
Nec aterm Wg2600hp4
Nec aterm Wg2600hs
Nec aterm Wg2600hs2
Nec aterm Wx3000hp
Nec aterm Wx3000hp2

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Network-Based OS Command Injection in NEC Aterm Series Routers

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nec Aterm Gb1200pe Aterm Gb1200pe Firmware Aterm Wf1200cr Aterm Wf1200cr Firmware Aterm Wg1200cr Aterm Wg1200cr Firmware Aterm Wg2600hm4 Aterm Wg2600hm4 Firmware Aterm Wg2600hp4 Aterm Wg2600hp4 Firmware Aterm Wg2600hs Aterm Wg2600hs2 Aterm Wg2600hs2 Firmware Aterm Wg2600hs Firmware Aterm Wx3000hp Aterm Wx3000hp2 Aterm Wx3000hp2 Firmware Aterm Wx3000hp Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: NEC

Published:

Updated: 2026-04-10T04:14:44.673Z

Reserved: 2026-03-23T06:04:49.866Z

Link: CVE-2026-4622

cve-icon Vulnrichment

Updated: 2026-03-27T12:52:57.280Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T12:16:21.133

Modified: 2026-04-20T15:22:41.390

Link: CVE-2026-4622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:59:43Z

Weaknesses