Skip to main content

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 12:00 euvd
EUVD-2026-16583
Analysis Generated
Mar 27, 2026 - 12:00 vuln.today
CVE Published
Mar 27, 2026 - 11:46 nvd
MEDIUM 6.3

DescriptionCVE.org

Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network.

AnalysisAI

NEC Aterm wireless router series (W1200Ex-MS, WG1200HP2, WG1900HP, WG1800HP3, WG1800HP4, WG1200HP3, WG1200HP4, WG1200HS2, WG1200HS3, WX1500HP, WX3000HP, WX3600HP, WG2600HS, WG2600HS2, WG2600HP4, WG2600HM4, WF1200CR, WG1200CR, and others) suffer from missing authorization controls that enable remote attackers to enumerate device configuration details and modify settings without proper access controls. The vulnerability stems from CWE-862 (Missing Authorization) in the device management interface, allowing unauthenticated or inadequately authenticated network-accessible requests to interact with sensitive administrative functions. No CVSS score, EPSS probability estimate, or public exploit code has been disclosed, and CISA KEV status is unknown.

Technical ContextAI

NEC Aterm Series routers are consumer and small-business wireless networking devices that expose web-based device management interfaces for configuration and monitoring. The vulnerability resides in the authorization layer of this management interface, which fails to properly validate user privileges before permitting access to sensitive operations. CWE-862 (Missing Authorization) classifies this as a broken access control flaw where the application does not perform authorization checks after authentication or skips authentication entirely for certain endpoints. The affected CPE strings (cpe:2.3:a:nec_platforms,_ltd.:aterm_*) cover multiple product lines and firmware revisions, suggesting the flaw is systemic across the Aterm platform. Remote attackers can exploit this via standard HTTP/HTTPS requests to the router's management interface without requiring valid credentials or with minimal privilege escalation.

RemediationAI

Contact NEC Platforms, Ltd. and check https://jpn.nec.com/security-info/secinfo/nv26-001_en.html for firmware patches addressing CVE-2026-4309. If a patched firmware version is available, update your Aterm device immediately through the device management interface or via USB recovery. Until patching is complete, implement network mitigations: (1) restrict access to the router's management interface to trusted administrative hosts only via firewall rules; (2) change the default management port or disable remote management if the feature is enabled; (3) isolate router management traffic on a separate administrative VLAN; (4) use strong administrative credentials and rotate passwords immediately if unauthorized access is suspected. For organizations managing multiple Aterm devices, establish a firmware update schedule and centralized monitoring to detect unauthorized configuration changes.

Share

CVE-2026-4309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy