CVE-2017-12575 — HIGH (7.5)

Vulnerability Description

An issue was discovered on the NEC Aterm WG2600HP2 1.0.2. The router has a set of web service APIs for access to and setup of the configuration. Some APIs don't require authentication. An attacker could exploit this vulnerability by sending a crafted HTTP request to retrieve DHCP clients, firmware version, and network status (ex.: curl -X http://[IP]/aterm_httpif.cgi/negotiate -d "REQ_ID=SUPPORT_IF_GET").

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Aterm	Wg2600Hp2 Firmware	1.0.2
Aterm	Wg2600Hp2	-

Related Weaknesses (CWE)

CWE-306

References

http://jvn.jp/en/jp/JVN38248512/index.html
http://seclists.org/fulldisclosure/2018/Aug/26Mailing ListThird Party Advisory
http://jvn.jp/en/jp/JVN38248512/index.html
http://seclists.org/fulldisclosure/2018/Aug/26Mailing ListThird Party Advisory

FAQ

What is CVE-2017-12575?

CVE-2017-12575 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered on the NEC Aterm WG2600HP2 1.0.2. The router has a set of web service APIs for access to and setup of the configuration. Some APIs don't require authentication. An attacker cou...

How severe is CVE-2017-12575?

CVE-2017-12575 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-12575?

Check the references section above for vendor advisories and patch information. Affected products include: Aterm Wg2600Hp2 Firmware, Aterm Wg2600Hp2.