Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network.
AnalysisAI
NEC Aterm wireless router series (W1200Ex-MS, WG1200HP2, WG1900HP, WG1800HP3, WG1800HP4, WG1200HP3, WG1200HP4, WG1200HS2, WG1200HS3, WX1500HP, WX3000HP, WX3600HP, WG2600HS, WG2600HS2, WG2600HP4, WG2600HM4, WF1200CR, WG1200CR, and others) suffer from missing authorization controls that enable remote attackers to enumerate device configuration details and modify settings without proper access controls. The vulnerability stems from CWE-862 (Missing Authorization) in the device management interface, allowing unauthenticated or inadequately authenticated network-accessible requests to interact with sensitive administrative functions. No CVSS score, EPSS probability estimate, or public exploit code has been disclosed, and CISA KEV status is unknown.
Technical ContextAI
NEC Aterm Series routers are consumer and small-business wireless networking devices that expose web-based device management interfaces for configuration and monitoring. The vulnerability resides in the authorization layer of this management interface, which fails to properly validate user privileges before permitting access to sensitive operations. CWE-862 (Missing Authorization) classifies this as a broken access control flaw where the application does not perform authorization checks after authentication or skips authentication entirely for certain endpoints. The affected CPE strings (cpe:2.3:a:nec_platforms,_ltd.:aterm_*) cover multiple product lines and firmware revisions, suggesting the flaw is systemic across the Aterm platform. Remote attackers can exploit this via standard HTTP/HTTPS requests to the router's management interface without requiring valid credentials or with minimal privilege escalation.
RemediationAI
Contact NEC Platforms, Ltd. and check https://jpn.nec.com/security-info/secinfo/nv26-001_en.html for firmware patches addressing CVE-2026-4309. If a patched firmware version is available, update your Aterm device immediately through the device management interface or via USB recovery. Until patching is complete, implement network mitigations: (1) restrict access to the router's management interface to trusted administrative hosts only via firewall rules; (2) change the default management port or disable remote management if the feature is enabled; (3) isolate router management traffic on a separate administrative VLAN; (4) use strong administrative credentials and rotate passwords immediately if unauthorized access is suspected. For organizations managing multiple Aterm devices, establish a firmware update schedule and centralized monitoring to detect unauthorized configuration changes.
More in Aterm W1200Ex Ms
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16583
GHSA-gqp3-283g-mgqc