CVE-2017-12575

Vulnerability

The NEC Aterm WG2600HP (firmware Ver1.0.13 and earlier) and WG2600HP2 (firmware Ver1.0.3 and earlier) routers expose a set of web service APIs for configuration access and setup. Some of these APIs do not require authentication. Specifically, the endpoint /aterm_httpif.cgi/negotiate with parameter REQ_ID=SUPPORT_IF_GET can be accessed without credentials. This allows an attacker to retrieve DHCP client lists, firmware version, and network status information [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint. No authentication or user interaction is required. The attack can be performed remotely over the network. For example, using curl -X http://[IP]/aterm_httpif.cgi/negotiate -d "REQ_ID=SUPPORT_IF_GET" retrieves sensitive data [1].

Impact

Successful exploitation allows a remote attacker to obtain sensitive device information, including DHCP client details, firmware version, and network status. According to the JVN advisory, the attacker may also obtain and/or alter the settings stored in the device [1]. The CVSS v3 base score is 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact but no integrity or availability impact per the official score.

Mitigation

NEC has not released a firmware patch for this vulnerability as of the latest advisory update (2021-02-02). The JVN page recommends applying workarounds, but specific details are not provided in the available reference [1]. Users should monitor for firmware updates from NEC and consider restricting network access to the router's management interface as a temporary measure.