Description
An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network.
Published: 2026-05-25
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS Command Injection flaw allows a malicious actor who has gained administrator access to the Aterm web console to execute arbitrary operating system commands. The vulnerability is triggered via the web interface and can be exercised from any adjacent network location, providing the attacker control over the underlying operating system.

Affected Systems

The flaw affects NEC Platforms, Ltd. Aterm CM51FD and Aterm MR51FN devices. Any system running either product where the web console is exposed to a network and can be accessed with administrative credentials is vulnerable.

Risk and Exploitability

With a CVSS score of 8.5, the vulnerability is high severity. No EPSS score is available and the flaw is not listed in the CISA KEV catalog. The likely attack vector is remote network access to the web console requiring prior administrative authentication; once authenticated, an attacker can trigger the command injection.

Generated by OpenCVE AI on May 25, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or security patch issued by NEC for the affected Aterm devices.
  • Restrict access to the web console to trusted IP addresses or a secure, isolated network segment.
  • If possible, disable or limit web‑interface features that allow execution of operating‑system commands.
  • Continuously monitor the web console for unauthorized access attempts and verify that administrative credentials remain secure.

Generated by OpenCVE AI on May 25, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Necplatforms
Necplatforms aterm Cm51fd
Necplatforms aterm Mr51fn
Vendors & Products Necplatforms
Necplatforms aterm Cm51fd
Necplatforms aterm Mr51fn

Mon, 25 May 2026 05:15:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in NEC Aterm Web Console

Mon, 25 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Necplatforms Aterm Cm51fd Aterm Mr51fn
cve-icon MITRE

Status: PUBLISHED

Assigner: NEC

Published:

Updated: 2026-05-26T14:43:51.202Z

Reserved: 2026-05-15T04:57:29.637Z

Link: CVE-2026-8652

cve-icon Vulnrichment

Updated: 2026-05-26T14:43:45.627Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T04:16:25.297

Modified: 2026-05-26T20:14:49.350

Link: CVE-2026-8652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T11:33:04Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')