JVN#70666401: Multiple vulnerabilities in ZEXELON ZWX-2000CSW2-HN

Overview

ZWX-2000CSW2-HN provided by ZEXELON CO., LTD. contains multiple vulnerabilities.

Products Affected

ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15

Description

ZWX-2000CSW2-HN provided by ZEXELON CO., LTD. is a high-speed coaxial modem with wireless LAN functions. ZWX-2000CSW2-HN contains multiple vulnerabilities listed below.

Use of hard-coded credentials (CWE-798)
- CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Base Score 4.5
- CVE-2024-39838
Incorrect permission assignment for critical resource (CWE-732)
- CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.0
- CVE-2024-41720

Impact

An attacker may alter the configuration of the device.

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
ZEXELON CO., LTD.	Multiple vulnerabilities and countermeasures in high-speed coaxial modems with wireless LAN function (parent and child common models) (PDF, Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Hiroki Sato of Tokyo Institute of Technology reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2024-39838
	CVE-2024-41720
JVN iPedia	JVNDB-2024-000084

JVN#70666401 Multiple vulnerabilities in ZEXELON ZWX-2000CSW2-HN