CVE-2025-0356

CVE-2025-0356 is a command injection vulnerability (CWE-78) affecting NEC Corporation Aterm WX1500HP versions 1.4.2 and earlier, and WX3600HP versions 1.5.3 and earlier. These are network devices that allow an attacker to execute arbitrary OS commands via the network. The vulnerability was published on 2025-01-15 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires high privileges (PR:H), such as those held by an authenticated administrator, but can be performed remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants the attacker the ability to run arbitrary OS commands, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U).

NEC has published a security advisory with mitigation guidance at https://jpn.nec.com/security-info/secinfo/nv25-003_en.html. Security practitioners should consult this reference for details on patches or workarounds.