CVE-2024-28007
📋 TL;DR
This CVE describes an improper authentication vulnerability in multiple NEC Aterm router models that allows remote attackers to execute arbitrary commands with root privileges via the internet. The vulnerability affects all versions of the listed devices, enabling complete system compromise. Anyone using these specific NEC router models is potentially vulnerable.
💻 Affected Systems
- NEC Corporation Aterm WG1800HP4
- WG1200HS3
- WG1900HP2
- WG1200HP3
- WG1800HP3
- WG1200HS2
- WG1900HP
- WG1200HP2
- W1200EX(-MS)
- WG1200HS
- WG1200HP
- WF300HP2
- W300P
- WF800HP
- WR8165N
- WG2200HP
- WF1200HP2
- WG1800HP2
- WF1200HP
- WG600HP
- WG300HP
- WF300HP
- WG1800HP
- WG1400HP
- WR8175N
- WR9300N
- WR8750N
- WR8160N
- WR9500N
- WR8600N
- WR8370N
- WR8170N
- WR8700N
- WR8300N
- WR8150N
- WR4100N
- WR4500N
- WR8100N
- WR8500N
- CR2500P
- WR8400N
- WR8200N
- WR1200H
- WR7870S
- WR6670S
- WR7850S
- WR6650S
- WR6600H
- WR7800H
- WM3400RN
- WM3450RN
- WM3500R
- WM3600R
- WM3800R
- WR8166N
- MR01LN
- MR02LN
- WG1810HP(JE)
- WG1810HP(MF)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover, data exfiltration, network pivoting to internal systems, persistent backdoor installation, and use as part of botnets or ransomware campaigns.
Likely Case
Remote code execution leading to device compromise, credential theft, DNS hijacking, and network surveillance.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound rules, though lateral movement risk remains if exploited.
🎯 Exploit Status
The vulnerability requires no authentication and is exploitable via the internet, making it trivial for attackers with network access to the device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific firmware versions
Vendor Advisory: https://jpn.nec.com/security-info/secinfo/nv24-001_en.html
Restart Required: Yes
Instructions:
1. Visit the NEC security advisory page
2. Identify your specific router model
3. Download the latest firmware from NEC's support site
4. Log into router admin interface
5. Navigate to firmware update section
6. Upload and apply the new firmware
7. Reboot the router after update completes
🔧 Temporary Workarounds
Network Segmentation
allPlace routers behind firewalls with strict inbound rules to block external access to management interfaces
Access Control Lists
allImplement network ACLs to restrict access to router management IPs to trusted internal IPs only
🧯 If You Can't Patch
- Immediately disconnect vulnerable routers from the internet and place behind firewalls
- Replace vulnerable routers with patched or alternative models if firmware updates are unavailable
🔍 How to Verify
Check if Vulnerable:
Check if your router model appears in the affected products list and verify current firmware version against NEC's patched versionsCheck Version:
Log into router admin interface and check firmware version in system status or about pageVerify Fix Applied:
After updating firmware, verify the version matches or exceeds the patched version specified in NEC's advisory📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to router management interface
- Unexpected configuration changes
- Unknown processes or services running
Network Indicators:
- Unusual outbound connections from router
- DNS queries to suspicious domains
- Unexpected port openings on router
SIEM Query:
source="router_logs" AND (event_type="authentication_failure" OR event_type="configuration_change")