CVE-2026-4620
Published: 27 March 2026
Description
OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute arbitrary OS commands via network.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-4620 by requiring timely identification, reporting, and patching of the OS command injection flaw in Aterm Series products.
Prevents exploitation of the command injection vulnerability by enforcing input validation at network entry points to block malicious command payloads.
Limits network-accessible exploitation of the unauthenticated command injection by monitoring and controlling communications to affected Aterm devices.
Security SummaryAI
CVE-2026-4620 is an OS Command Injection vulnerability (CWE-78) in NEC Platforms, Ltd.'s Aterm Series products. Published on 2026-03-27, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact.
The vulnerability enables a network-accessible attacker with no required privileges or user interaction to execute arbitrary OS commands on affected devices. Exploitation requires low complexity and can result in high confidentiality, integrity, and availability impacts, allowing full system compromise.
NEC Platforms has published an advisory with mitigation guidance at https://jpn.nec.com/security-info/secinfo/nv26-001_en.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS Command Injection in a public-facing network device enables unauthenticated remote exploitation (T1190) and arbitrary Unix shell command execution (T1059.004).