Description
An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network.
Published: 2026-05-25
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS Command Injection flaw allows a malicious actor who has gained administrator access to the Aterm web console to execute arbitrary operating system commands. The vulnerability is triggered via the web interface and can be exercised from any adjacent network location, providing the attacker control over the underlying operating system.

Affected Systems

The flaw affects NEC Platforms, Ltd. Aterm CM51FD and Aterm MR51FN devices. Any system running either product where the web console is exposed to a network and can be accessed with administrative credentials is vulnerable.

Risk and Exploitability

With a CVSS score of 8.5, the vulnerability is high severity. No EPSS score is available and the flaw is not listed in the CISA KEV catalog. The likely attack vector is remote network access to the web console requiring prior administrative authentication; once authenticated, an attacker can trigger the command injection.

Generated by OpenCVE AI on May 25, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or security patch issued by NEC for the affected Aterm devices.
  • Restrict access to the web console to trusted IP addresses or a secure, isolated network segment.
  • If possible, disable or limit web‑interface features that allow execution of operating‑system commands.
  • Continuously monitor the web console for unauthorized access attempts and verify that administrative credentials remain secure.

Generated by OpenCVE AI on May 25, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 05:15:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in NEC Aterm Web Console

Mon, 25 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NEC

Published:

Updated: 2026-05-25T02:40:41.776Z

Reserved: 2026-05-15T04:57:29.637Z

Link: CVE-2026-8652

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T05:00:12Z

Weaknesses