CVE-2026-4309
Missing Authorization in NEC Aterm Devices Enables Settings Modification
Publication date: 2026-03-27
Last updated on: 2026-04-20
Assigner: NEC Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nec | aterm_wg2600hs_firmware | to 1.7.2 (exc) |
| nec | aterm_wf1200cr_firmware | to 1.6.0 (exc) |
| nec | aterm_wg1200cr_firmware | to 1.5.0 (exc) |
| nec | aterm_wg2600hp4_firmware | to 1.4.2 (exc) |
| nec | aterm_wg2600hm4_firmware | to 1.4.2 (exc) |
| nec | aterm_wg2600hs2_firmware | to 1.3.2 (exc) |
| nec | aterm_wx3000hp_firmware | to 2.5.0 (exc) |
| nec | aterm_wx3600hp_firmware | to 1.5.3 (inc) |
| nec | aterm_w1200ex-ms_firmware | * |
| nec | aterm_wg1200hp2_firmware | * |
| nec | aterm_wg1900hp_firmware | * |
| nec | aterm_wg1200hs2_firmware | * |
| nec | aterm_wg1800hp3_firmware | * |
| nec | aterm_wg1200hp3_firmware | * |
| nec | aterm_wg1900hp2_firmware | * |
| nec | aterm_wg1200hs3_firmware | * |
| nec | aterm_wg1800hp4_firmware | * |
| nec | aterm_wg1200hp4_firmware | * |
| nec | aterm_wg1200hs4_firmware | * |
| nec | aterm_wx1500hp_firmware | to 1.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Missing Authorization issue in NEC Platforms, Ltd. Aterm Series devices. It allows an attacker to access specific device information and change the device settings over the network without proper authorization.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can obtain sensitive device information and modify device settings remotely. This could lead to unauthorized changes in device configuration, potential disruption of device functionality, and exposure of sensitive data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-4309 allows unauthorized access to specific device information and the ability to change device settings via the network. This unauthorized access could potentially lead to exposure or manipulation of sensitive data managed by the affected devices.
Such unauthorized access and control may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information to prevent unauthorized disclosure or modification.
However, the provided resources do not explicitly discuss the direct impact of this vulnerability on compliance with these standards or regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-4309 vulnerability in NEC Aterm series devices, the immediate step is to update the device firmware to the fixed versions provided by NEC.
This vulnerability allows unauthorized access to device information and settings changes, so applying the firmware update is critical to prevent exploitation.