Katsunari Yoshioka

**Name of the Vulnerable Software and Affected Versions** NETGEAR (affected versions not specified) **Description** Certain end-of-service NETGEAR products feature a “TelnetEnable” functionality. This functionality permits a magic packet to activate the telnet service on the device, potentially leading to unauthorized access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NEC Corporation Aterm WX1500HP versions 1.4.2 and earlier NEC Corporation Aterm WX3600HP versions 1.5.3 and earlier **Description** The issue allows an attacker to execute arbitrary OS commands via the network. This can be done through the internet, potentially affecting a wide range of devices. **Recommendations** For NEC Corporation Aterm WX1500HP versions 1.4.2 and earlier, update to a version later than 1.4.2 to resolve the issue. For NEC Corporation Aterm WX3600HP versions 1.5.3 and earlier, update to a version later than 1.5.3 to resolve the issue. As a temporary workaround, consider restricting network access to the devices until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NEC Corporation Aterm WG2600HS versions 1.7.2 and earlier NEC Corporation Aterm WF1200CRS versions 1.6.0 and earlier NEC Corporation Aterm WG1200CRS versions 1.5.0 and earlier NEC Corporation Aterm GB1200PE versions 1.3.0 and earlier NEC Corporation Aterm WG2600HP4 versions 1.4.2 and earlier NEC Corporation Aterm WG2600HM4 versions 1.4.2 and earlier NEC Corporation Aterm WG2600HS2 versions 1.3.2 and earlier NEC Corporation Aterm WX3000HP versions 2.4.2 and earlier NEC Corporation Aterm WX4200D5 versions 1.2.4 and earlier **Description** The issue allows an attacker to obtain a Wi-Fi password via the network due to missing authentication for a critical function. **Recommendations** For NEC Corporation Aterm WG2600HS versions 1.7.2 and earlier, update to a version later than 1.7.2. For NEC Corporation Aterm WF1200CRS versions 1.6.0 and earlier, update to a version later than 1.6.0. For NEC Corporation Aterm WG1200CRS versions 1.5.0 and earlier, update to a version later than 1.5.0. For NEC Corporation Aterm GB1200PE versions 1.3.0 and earlier, update to a version later than 1.3.0. For NEC Corporation Aterm WG2600HP4 versions 1.4.2 and earlier, update to a version later than 1.4.2. For NEC Corporation Aterm WG2600HM4 versions 1.4.2 and earlier, update to a version later than 1.4.2. For NEC Corporation Aterm WG2600HS2 versions 1.3.2 and earlier, update to a version later than 1.3.2. For NEC Corporation Aterm WX3000HP versions 2.4.2 and earlier, update to a version later than 2.4.2. For NEC Corporation Aterm WX4200D5 versions 1.2.4 and earlier, update to a version later than 1.2.4.

**Name of the Vulnerable Software and Affected Versions** NEC Corporation Aterm WG2600HS versions 1.7.2 and earlier NEC Corporation Aterm WG2600HP4 versions 1.4.2 and earlier NEC Corporation Aterm WG2600HM4 versions 1.4.2 and earlier NEC Corporation Aterm WG2600HS2 versions 1.3.2 and earlier NEC Corporation Aterm WX3000HP versions 2.4.2 and earlier NEC Corporation Aterm WX4200D5 versions 1.2.4 and earlier **Description** A cross-site scripting issue allows an attacker to inject an arbitrary script via the network. This can potentially lead to unauthorized actions on the affected system. **Recommendations** For NEC Corporation Aterm WG2600HS versions 1.7.2 and earlier, update to a version later than 1.7.2 to resolve the issue. For NEC Corporation Aterm WG2600HP4 versions 1.4.2 and earlier, update to a version later than 1.4.2 to resolve the issue. For NEC Corporation Aterm WG2600HM4 versions 1.4.2 and earlier, update to a version later than 1.4.2 to resolve the issue. For NEC Corporation Aterm WG2600HS2 versions 1.3.2 and earlier, update to a version later than 1.3.2 to resolve the issue. For NEC Corporation Aterm WX3000HP versions 2.4.2 and earlier, update to a version later than 2.4.2 to resolve the issue. For NEC Corporation Aterm WX4200D5 versions 1.2.4 and earlier, update to a version later than 1.2.4 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: PLANEX COMMUNICATIONS network cameras (affected versions not specified) Description: A cross-site scripting issue exists in the web management page of the network cameras. If a logged-in user accesses a specific file, an arbitrary script may be executed on the user's web browser. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2, WF1200HP, WG600HP, WG300HP, WF300HP, WG1800HP, WG1400HP, WR8175N, WR9300N, WR8750N, WR8160N, WR9500N, WR8600N, WR8370N, WR8170N, WR8700N, WR8300N, WR8150N, WR4100N, WR4500N, WR8100N, WR8500N, CR2500P, WR8400N, WR8200N, WR1200H, WR7870S, WR6670S, WR7850S, WR6650S, WR6600H, WR7800H, WM3400RN, WM3450RN, WM3500R, WM3600R, WM3800R, WR8166N, MR01LN, MR02LN, WG1810HP(JE), and WG1810HP(MF) all versions **Description** The issue allows an attacker to execute an arbitrary OS command via the internet due to the use of a hard-coded password. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2, WF1200HP, WG600HP, WG300HP, WF300HP, WG1800HP, WG1400HP, WR8175N, WR9300N, WR8750N, WR8160N, WR9500N, WR8600N, WR8370N, WR8170N, WR8700N, WR8300N, WR8150N, WR4100N, WR4500N, WR8100N, WR8500N, CR2500P, WR8400N, WR8200N, WR1200H, WR7870S, WR6670S, WR7850S, WR6650S, WR6600H, WR7800H, WM3400RN, WM3450RN, WM3500R, WM3600R, WM3800R, WR8166N, MR01LN, MR02LN, WG1810HP(JE), and WG1810HP(MF) all versions **Description** The issue allows an attacker who has obtained high privileges to execute arbitrary scripts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2, WF1200HP, WG600HP, WG300HP, WF300HP, WG1800HP, WG1400HP, WR8175N, WR9300N, WR8750N, WR8160N, WR9500N, WR8600N, WR8370N, WR8170N, WR8700N, WR8300N, WR8150N, WR4100N, WR4500N, WR8100N, WR8500N, CR2500P, WR8400N, WR8200N, WR1200H, WR7870S, WR6670S, WR7850S, WR6650S, WR6600H, WR7800H, WM3400RN, WM3450RN, WM3500R, WM3600R, WM3800R, WR8166N, MR01LN, MR02LN, WG1810HP(JE), and WG1810HP(MF) all versions **Description** The issue is related to improper access control, allowing an attacker to obtain device information via the internet. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2, WF1200HP, WG600HP, WG300HP, WF300HP, WG1800HP, WG1400HP, WR8175N, WR9300N, WR8750N, WR8160N, WR9500N, WR8600N, WR8370N, WR8170N, WR8700N, WR8300N, WR8150N, WR4100N, WR4500N, WR8100N, WR8500N, CR2500P, WR8400N, WR8200N, WR1200H, WR7870S, WR6670S, WR7850S, WR6650S, WR6600H, WR7800H, WM3400RN, WM3450RN, WM3500R, WM3600R, WM3800R, WR8166N, MR01LN, MR02LN, WG1810HP(JE), and WG1810HP(MF) all versions **Description** The issue is related to an improper authentication vulnerability that allows an attacker to execute an arbitrary command with root privilege via the internet. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2, WF1200HP, WG600HP, WG300HP, WF300HP, WG1800HP, WG1400HP, WR8175N, WR9300N, WR8750N, WR8160N, WR9500N, WR8600N, WR8370N, WR8170N, WR8700N, WR8300N, WR8150N, WR4100N, WR4500N, WR8100N, WR8500N, CR2500P, WR8400N, WR8200N, WR1200H, WR7870S, WR6670S, WR7850S, WR6650S, WR6600H, WR7800H, WM3400RN, WM3450RN, WM3500R, WM3600R, WM3800R, WR8166N, MR01LN, MR02LN, WG1810HP(JE), and WG1810HP(MF) all versions **Description** The issue allows an attacker to execute an arbitrary OS command with root privilege via the internet. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FUJIFILM printers (affected versions not specified) **Description** A cross-site request forgery issue allows a remote unauthenticated attacker to alter user information. If the targeted user is an administrator, settings such as the administrator's ID, password, etc., may be altered. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Brother printers and scanners (affected versions not specified) **Description** A cross-site request forgery issue allows a remote unauthenticated attacker to perform unintended operations on the affected product. The vulnerability is present in multiple printers and scanners that implement Web Based Management provided by BROTHER INDUSTRIES, LTD. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Brother products (affected versions not specified) **Description** An improper authentication vulnerability exists in multiple printers and scanners that implement Web Based Management provided by BROTHER INDUSTRIES, LTD. This vulnerability can be exploited by a network-adjacent user to impersonate an administrative user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FXC AE1021 firmware version 2.0.9 and earlier FXC AE1021PE firmware version 2.0.9 and earlier **Description** An OS command injection vulnerability exists, allowing an attacker who can log in to the product to execute arbitrary OS commands. The vulnerability is related to the lack of measures to neutralize special elements used in the OS command. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary commands. New botnet malware has been found to exploit this flaw in routers. **Recommendations** For FXC AE1021 firmware version 2.0.9 and earlier, update to a version later than 2.0.9 to resolve the issue. For FXC AE1021PE firmware version 2.0.9 and earlier, update to a version later than 2.0.9 to resolve the issue. As a temporary workaround, consider restricting access to the product to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** T&D Corporation data logger products versions all firmware versions ESPEC MIC CORP. data logger products versions all firmware versions **Description** Cross-site request forgery (CSRF) allows a remote unauthenticated attacker to conduct an arbitrary operation by having a logged-in user view a malicious page. **Recommendations** For T&D Corporation data logger products, consider disabling access to the web interface until a patch is available. For ESPEC MIC CORP. data logger products, restrict access to the web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** T&D Corporation data logger products (TR-71W/72W all firmware versions, RTR-5W all firmware versions, WDR-7 all firmware versions, WDR-3 all firmware versions, and WS-2 all firmware versions) ESPEC MIC CORP. data logger products (RT-12N/RS-12N all firmware versions, RT-22BN all firmware versions, and TEU-12N all firmware versions) **Description** A client-side enforcement of server-side security issue exists in T&D Corporation and ESPEC MIC CORP. data logger products, which may lead to an arbitrary script execution on a logged-in user's web browser. **Recommendations** For T&D Corporation data logger products (TR-71W/72W all firmware versions, RTR-5W all firmware versions, WDR-7 all firmware versions, WDR-3 all firmware versions, and WS-2 all firmware versions), consider disabling the web interface until a patch is available. For ESPEC MIC CORP. data logger products (RT-12N/RS-12N all firmware versions, RT-22BN all firmware versions, and TEU-12N all firmware versions), restrict access to the web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** T&D Corporation data logger products versions TR-71W/72W all firmware versions, RTR-5W all firmware versions, WDR-7 all firmware versions, WDR-3 all firmware versions, and WS-2 all firmware versions ESPEC MIC CORP. data logger products versions RT-12N/RS-12N all firmware versions, RT-22BN all firmware versions, and TEU-12N all firmware versions **Description** Missing authentication for a critical function exists in the affected data logger products, which may allow a remote unauthenticated attacker to alter the product settings without authentication. **Recommendations** For T&D Corporation data logger products, consider disabling remote access to the critical function until a patch is available. For ESPEC MIC CORP. data logger products, restrict access to the product settings to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** T&D Corporation data logger products versions TR-71W/72W all firmware versions T&D Corporation data logger products versions RTR-5W all firmware versions T&D Corporation data logger products versions WDR-7 all firmware versions T&D Corporation data logger products versions WDR-3 all firmware versions T&D Corporation data logger products versions WS-2 all firmware versions ESPEC MIC CORP. data logger products versions RT-12N/RS-12N all firmware versions ESPEC MIC CORP. data logger products versions RT-22BN all firmware versions ESPEC MIC CORP. data logger products versions TEU-12N all firmware versions **Description** An improper authentication issue in T&D Corporation and ESPEC MIC CORP. data logger products allows a remote unauthenticated attacker to login to the product as a registered user. **Recommendations** For T&D Corporation data logger products versions TR-71W/72W all firmware versions, consider disabling remote access until a patch is available. For T&D Corporation data logger products versions RTR-5W all firmware versions, restrict access to the product to minimize the risk of exploitation. For T&D Corporation data logger products versions WDR-7 all firmware versions, avoid using default or weak passwords for registered users. For T&D Corporation data logger products versions WDR-3 all firmware versions, limit the number of login attempts to prevent brute-force attacks. For T&D Corporation data logger products versions WS-2 all firmware versions, implement additional authentication mechanisms, such as two-factor authentication. For ESPEC MIC CORP. data logger products versions RT-12N/RS-12N all firmware versions, consider changing default passwords and restricting access to the product. For ESPEC MIC CORP. data logger products versions RT-22BN all firmware versions, disable any unnecessary features or services that could be exploited. For ESPEC MIC CORP. data logger products versions TEU-12N all firmware versions, monitor user activity and login attempts to detect potential exploitation.

**Name of the Vulnerable Software and Affected Versions** SEIKO EPSON printers/network interface Web Config (affected versions not specified) **Description** A cross-site request forgery (CSRF) issue allows a remote unauthenticated attacker to hijack the authentication and perform unintended operations by having a logged-in user view a malicious page. Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser, also known as Remote Manager in some products. It is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SEIKO EPSON printers/network interface Web Config (affected versions not specified) **Description** A cross-site scripting vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote authenticated attacker with administrative privilege to inject an arbitrary script. Web Config is a software that enables users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. It is also known as Remote Manager in some products and is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.