{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4619", "assignerOrgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282", "state": "PUBLISHED", "assignerShortName": "NEC", "dateReserved": "2026-03-23T06:04:46.181Z", "datePublished": "2026-03-27T11:46:54.450Z", "dateUpdated": "2026-04-10T04:12:05.787Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282", "shortName": "NEC", "dateUpdated": "2026-04-10T04:12:05.787Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "affected": [{"vendor": "NEC Platforms, Ltd.", "product": "Aterm WX3600HP", "versions": [{"status": "affected", "version": "Before Ver. 1.5.3"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to wtite over any file via network.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to wtite over any file via network."}]}], "references": [{"url": "https://jpn.nec.com/security-info/secinfo/nv26-001_en.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Chuya Hayakawa of Zero Zero One Co., Ltd.", "user": "00000000-0000-4000-9000-000000000000", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T11:59:45.121746Z", "id": "CVE-2026-4619", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T11:59:56.839Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4619", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T11:59:45.121746Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T11:59:51.487Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Chuya Hayakawa of Zero Zero One Co., Ltd."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NEC Platforms, Ltd.", "product": "Aterm WX3600HP", "versions": [{"status": "affected", "version": "Before Ver. 1.5.3"}], "defaultStatus": "unknown"}], "references": [{"url": "https://jpn.nec.com/security-info/secinfo/nv26-001_en.html"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to wtite over any file via network.", "supportingMedia": [{"type": "text/html", "value": "Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to wtite over any file via network.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282", "shortName": "NEC", "dateUpdated": "2026-04-10T04:12:05.787Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4619", "state": "PUBLISHED", "dateUpdated": "2026-04-10T04:12:05.787Z", "dateReserved": "2026-03-23T06:04:46.181Z", "assignerOrgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282", "datePublished": "2026-03-27T11:46:54.450Z", "assignerShortName": "NEC"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:nec:aterm_wx3600hp_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B77603F2-DFB5-4718-B4DB-482CD835BB61", "versionEndExcluding": "1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:nec:aterm_wx3600hp:-:*:*:*:*:*:*:*", "matchCriteriaId": "49BA8EF7-AE6D-4E69-A14B-410127D41E01", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to wtite over any file via network."}], "id": "CVE-2026-4619", "lastModified": "2026-04-20T15:18:26.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "psirt-info@cyber.jp.nec.com", "type": "Secondary"}]}, "published": "2026-03-27T12:16:20.593", "references": [{"source": "psirt-info@cyber.jp.nec.com", "tags": ["Vendor Advisory"], "url": "https://jpn.nec.com/security-info/secinfo/nv26-001_en.html"}], "sourceIdentifier": "psirt-info@cyber.jp.nec.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "psirt-info@cyber.jp.nec.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "aterm_wx3600hp", "vendor": "nec"}], "analysis": {"en": {"generated_at": "2026-03-27T15:20:28.234914+00:00", "value": {"mitigation_remediation": ["Install the latest firmware update released by NEC for the Aterm WX3600HP.", "Restrict access to the router\u2019s management interface to trusted IP addresses using firewall or ACL rules.", "Enable logging for file modification attempts and review logs for suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Remote File Write"}, "threat_synthesis": {"affected_systems": "All publicly released NEC Aterm WX3600HP firmware versions are considered vulnerable until an official update is issued by NEC. No particular firmware revisions were listed as unaffected.", "description_and_impact": "The flaw is a path traversal vulnerability in the NEC Platforms, Ltd. Aterm WX3600HP router series that allows an attacker to write over any file on the device by sending a specially crafted request over the network. This feature directly permits modification of system files, potentially disrupting normal operation or providing a foothold for further compromise.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6, indicating medium severity. Its EPSS score is below 1\u202f% and it is not included in the CISA KEV catalog, implying a low current exploitation likelihood. The attack vector is inferred to be network\u2011based, based on the description that the overwrite occurs via a network request. Successful exploitation would grant an attacker control over any file on the device, potentially leading to device compromise or denial of service."}}}}, "created": "2026-03-27T15:47:05.029995+00:00", "title": "Network\u2011Based Path Traversal Allowing Arbitrary File Write on NEC Aterm WX3600HP", "updated": "2026-03-30T07:59:44.195681+00:00", "vendors": ["nec", "nec$PRODUCT$aterm_wx3600hp"]}