CVE-2023-28392
Description
Wi-Fi AP UNIT AC-PD-WAPU v1.05_B04 and earlier, AC-PD-WAPUM v1.05_B04 and earlier, AC-PD-WAPU-P v1.05_B04P and earlier, AC-PD-WAPUM-P v1.05_B04P and earlier, AC-WAPU-300 v1.00_B07 and earlier, AC-WAPU-300-P v1.00_B08P and earlier, AC-WAPUM-300 v1.00_B07 and earlier, and AC-WAPUM-300-P v1.00_B08P and earlier allow an authenticated user with an administrative privilege to execute an arbitrary OS command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OS command injection in Inaba Denki Sangyo Wi-Fi AP UNIT allows authenticated admin users to execute arbitrary OS commands on affected models.
Vulnerability
CVE-2023-28392 is an OS command injection vulnerability (CWE-78) in the web management interface of Inaba Denki Sangyo Wi-Fi AP UNIT products. Affected models include AC-PD-WAPU v1.05_B04 and earlier, AC-PD-WAPUM v1.05_B04 and earlier, AC-PD-WAPU-P v1.05_B04P and earlier, AC-PD-WAPUM-P v1.05_B04P and earlier, AC-WAPU-300 v1.00_B07 and earlier, AC-WAPU-300-P v1.00_B08P and earlier, AC-WAPUM-300 v1.00_B07 and earlier, and AC-WAPUM-300-P v1.00_B08P and earlier [1][2].
Exploitation
An authenticated attacker with administrative privileges can exploit this vulnerability by sending a specially crafted request to the web UI. No user interaction or network position other than network access to the management interface is required. The attacker must have valid admin credentials [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary OS commands on the device with the privileges of the web server process, typically root. This leads to full compromise of confidentiality, integrity, and availability of the affected unit [1][2].
Mitigation
These products are end-of-life (EOL) and no patches are available. The vendor recommends workarounds: change the default IP address, restrict web UI access to the front LAN port only, use MAC address filtering for wireless clients, configure VPN or IP filters to limit connections, operate behind a firewall, avoid accessing other websites while logged into the settings page, and clear browser saved passwords after use [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= v1.05_B04
- Inaba Denki Sangyo Co., Ltd./Wi-Fi AP UNITv5Range: AC-WAPU-300 v1.00_B07 and earlier, AC-WAPU-300-P v1.00_B08P and earlier, AC-WAPUM-300 v1.00_B07 and earlier, and AC-WAPUM-300-P v1.00_B08P and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- jvn.jp/en/jp/JVN28412757/mitre
- jvn.jp/en/vu/JVNVU98968780/mitre
- www.inaba.co.jp/abaniact/news/Wi-Fi%20AP%20UNIT%E3%80%8CAC-WAPU-300%E3%80%8D%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8BOS%E3%82%B3%E3%83%9E%E3%83%B3%E3%83%89%E3%82%A4%E3%83%B3%E3%82%B8%E3%82%A7%E3%82%AF%E3%82%B7%E3%83%A7%E3%83%B3%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6.pdfmitre
News mentions
0No linked articles in our index yet.