RCE in Nec Platforms, Ltd. Aterm Cm51fd

CVE-2026-8652

An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network.

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.005 (66.1th percentile) — read the EPSS interpretation.

Affected products

Nec Platforms, Ltd. Aterm Cm51fd — versions Before Ver. 1.2.0
Nec Platforms, Ltd. Aterm Mr51fn — versions Before Ver. 3.4.0

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

psirt-info@cyber.jp.nec.com