CVE-2024-28009
📋 TL;DR
This CVE describes an improper authentication vulnerability in multiple NEC Aterm router models that allows unauthenticated remote attackers to execute arbitrary commands with root privileges via the internet. All listed NEC Aterm router models are affected regardless of version. This is a critical vulnerability affecting internet-facing network devices.
💻 Affected Systems
- NEC Corporation Aterm WG1800HP4
- WG1200HS3
- WG1900HP2
- WG1200HP3
- WG1800HP3
- WG1200HS2
- WG1900HP
- WG1200HP2
- W1200EX(-MS)
- WG1200HS
- WG1200HP
- WF300HP2
- W300P
- WF800HP
- WR8165N
- WG2200HP
- WF1200HP2
- WG1800HP2
- WF1200HP
- WG600HP
- WG300HP
- WF300HP
- WG1800HP
- WG1400HP
- WR8175N
- WR9300N
- WR8750N
- WR8160N
- WR9500N
- WR8600N
- WR8370N
- WR8170N
- WR8700N
- WR8300N
- WR8150N
- WR4100N
- WR4500N
- WR8100N
- WR8500N
- CR2500P
- WR8400N
- WR8200N
- WR1200H
- WR7870S
- WR6670S
- WR7850S
- WR6650S
- WR6600H
- WR7800H
- WM3400RN
- WM3450RN
- WM3500R
- WM3600R
- WM3800R
- WR8166N
- MR01LN
- MR02LN
- WG1810HP(JE)
- WG1810HP(MF)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router with root access, allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and permanently brick devices.
Likely Case
Remote code execution leading to router takeover, credential theft, DNS hijacking, and creation of botnet nodes for DDoS attacks or cryptocurrency mining.
If Mitigated
Limited impact if routers are behind firewalls with strict inbound filtering, though lateral movement risk remains if internal devices are compromised.
🎯 Exploit Status
The vulnerability requires no authentication and allows root command execution, making exploitation trivial for attackers with network access. While no public PoC is confirmed, the high CVSS score and clear impact make weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific firmware updates per model
Vendor Advisory: https://jpn.nec.com/security-info/secinfo/nv24-001_en.html
Restart Required: Yes
Instructions:
1. Visit the NEC security advisory page
2. Identify your specific router model
3. Download the latest firmware from NEC's support site
4. Log into router web interface
5. Navigate to firmware update section
6. Upload and apply the new firmware
7. Reboot the router
🔧 Temporary Workarounds
Disable WAN management access
allPrevent external internet access to router management interface
Log into router admin panel
Navigate to remote management/administration settings
Disable 'Allow WAN access' or similar option
Ensure only LAN access is permitted
Implement strict firewall rules
allBlock all inbound traffic to router management ports from internet
On upstream firewall: deny tcp/80, tcp/443, tcp/22, tcp/23 to router WAN IP
Consider blocking all non-essential ports to router
🧯 If You Can't Patch
- Immediately move routers behind firewalls with strict inbound filtering
- Disable remote management features and restrict admin access to specific internal IPs only
🔍 How to Verify
Check if Vulnerable:
Check if your router model is in the affected products list and has not been updated with the latest firmware from NEC.Check Version:
Log into router web interface and check firmware version in System Status or Administration section.Verify Fix Applied:
Verify firmware version matches or exceeds the patched version specified in NEC's advisory for your specific model.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to router admin interface
- Unexpected configuration changes
- Unknown processes or services running on router
- Failed firmware update attempts
Network Indicators:
- Unusual outbound connections from router to unknown IPs
- DNS queries to suspicious domains from router
- Unexpected port scans originating from router
SIEM Query:
source="router_logs" AND (event_type="authentication_failure" OR event_type="configuration_change" OR event_type="firmware_update")