Major Vulnerabilities in Products Japanese Enterprises Use, H1 2026

Between January and June 2026, a string of serious vulnerabilities hit the front lines of Japanese enterprises. From products by domestic giants such as Fujitsu and NEC, to overseas products widely used in Japan like Microsoft, Oracle and Citrix, flaws that shake the very foundation of corporate systems were disclosed one after another. This page is a cross-vendor roundup of only the cases that large enterprises, government agencies, financial institutions and manufacturers in Japan should treat as their own problem.

You can grasp each vulnerability by following them one at a time. But some things only become visible when you line them up across vendors. Attackers do not pick targets by brand name. They simply work through every "entry point where authentication can be bypassed" and every "device left unpatched after support ended" in turn. That is exactly why it is worth checking, all at once, how many holes the products you use opened up this half-year.

Below, we first cover where to find Japanese vulnerability information, then organize the key cases by product category, and finally sum up the trends seen across the first half of 2026 and what IT teams should check right now.

Where to find Japanese vulnerability information (What is JVN)

The starting point for checking Japanese vulnerability information is JVN (Japan Vulnerability Notes). It is a Japanese-language vulnerability information portal jointly operated by the IPA (Information-technology Promotion Agency) and JPCERT/CC (the JPCERT Coordination Center, the organization that coordinates security incident response in Japan). Vulnerabilities reported by domestic vendors, and those disclosed overseas that are relevant to Japan, are published with explanations in Japanese. The content is split between JVN (jvn.jp) and the more comprehensive JVN iPedia (jvndb.jvn.jp). JPCERT/CC also issues alerts for the most urgent items, so subscribing to these sources is the basic first step.

According to IPA figures, of the vulnerabilities registered to JVN iPedia in the first quarter of 2026, the most severe "Critical" rating accounted for about 16% of the total. Because the sheer number keeps growing, following all of them is not realistic. You need a way to pick out only those tied to the products you actually use.

JVN is often contrasted with the list published by the US government agency CISA of "vulnerabilities actually being used in attacks" (KEV, Known Exploited Vulnerabilities). While JVN is discovery-based information that "a dangerous flaw has been found," KEV is impact-based, meaning "it is already being exploited in attacks," and US federal agencies are given deadlines to fix the listed items. In other words, the way priority is set differs. Cross-referencing the two surfaces the highest-priority cases that are both dangerous and actively under attack. For KEV, we provide a separate dashboard that lets you search the entire catalog in Japanese.

• → CISA KEV Dashboard in Japanese | Search the entire catalog of actively exploited vulnerabilities

Serious vulnerabilities found in major domestic products

Let us start with products made by domestic vendors that are almost guaranteed to be present inside any Japanese company. Server management software, business Wi-Fi routers, and antivirus software protecting in-house PCs all appeared on the list, the kind of products that affect the entire business when they stop working.

In Fujitsu's server management software "ServerView," privilege-escalation vulnerabilities CVE-2026-27788 and CVE-2026-32325 were disclosed. A person who holds only an ordinary user account could seize the server's administrator privileges. Since this is software used to monitor and manage servers, losing control here means the whole foundation is taken with it.

In NEC's "Aterm" Wi-Fi routers for homes and small offices, new vulnerabilities were found in nine popular models (advisory IDs NV26-002 / NV26-003). This is a second round following the major fix released in March. Because these are widely used on home lines for remote work and at small branch offices, the large number of units makes missed updates likely to linger.

In Trend Micro's enterprise antivirus software "Apex One," a serious vulnerability was disclosed that could let the management console be hijacked and used as a foothold to break into PCs across the entire company. The very product meant to protect becomes the entry point, and because the impact spans the whole company, the priority is high.

The details of each case, the affected models, fixed versions and mitigations are covered in dedicated articles.

• → Privilege escalation in Fujitsu's ServerView server management software, CVE-2026-27788
• → New vulnerabilities in 9 popular NEC Aterm Wi-Fi router models
• → Serious vulnerability in Apex One, management console hijack risks breaking into company-wide PCs

Serious vulnerabilities found in core systems (IBM and Oracle)

Next are the IBM and Oracle products that underpin the core operations of large enterprises. These cover areas where processes that cannot be stopped are running, such as accounting, order management, and file transfer for broadcasting and finance.

Oracle moved to monthly patch delivery in 2026, and its very first round disclosed 35 issues, including CVE-2026-46840, a worst-class takeover flaw (its CVSS severity score is the maximum of 10.0). Because Oracle products are deeply embedded in core systems, the deployment plan itself becomes a major undertaking.

IBM disclosed vulnerabilities across multiple products in May. Among them, CVE-2026-8633 in "WebSphere," the application execution platform that forms the foundation of corporate systems, was a serious flaw that could let a server be hijacked. In addition, "Aspera," used by broadcasters and large enterprises to transfer large files, had two memory-corruption (buffer overflow) vulnerabilities disclosed, CVE-2026-8175 and CVE-2026-8179.

• → Worst-class takeover flaw in Oracle CVE-2026-46840, 35 issues in the first monthly patch
• → CVE-2026-8633, a serious flaw that lets IBM WebSphere be hijacked, update now
• → Two buffer overflow flaws in IBM Aspera CVE-2026-8175/8179, hitting file-transfer infrastructure for broadcasters and large firms

Serious vulnerabilities found in network gear and in-house infrastructure

Network devices placed at the boundary between outside and inside are the first entry point attackers aim for. They face the internet and, once breached, give reach into the entire internal network, so vulnerabilities here need to be treated with extra weight.

In F5's "BIG-IP," used for load balancing and VPN, CVE-2025-53521 was initially treated as a denial-of-service (service outage) issue, but based on new information obtained in March it was reclassified as a takeover that allows remote code execution. It was also added to CISA's list of vulnerabilities actually being used in attacks (KEV), with US federal agencies given a fix deadline of March 30.

In Ubiquiti's in-house network gear "UniFi," five top-class vulnerabilities were disclosed together that could let internal communications be eavesdropped without authentication. These are widely used as in-house switches and access points, so the more units an organization has, the wider the impact. For document sharing, the enterprise file-sharing product "Gladinet Triofox" had three serious vulnerabilities (CVE-2026-8362/8363/8364) disclosed that allow remote code execution without authentication.

Also, in "Drupal," a CMS widely used to build government and large-enterprise websites, the SQL injection vulnerability CVE-2026-9082 (an attack that injects malicious commands to manipulate the database) was added to KEV as already being exploited, and US federal agencies were ordered to fix it by May 27. Likewise, Microsoft's in-house portal "SharePoint" and Cisco's firewall management software "FMC" had urgent vulnerabilities disclosed that allow takeover without authentication, and immediate patching was urged.

• → F5 BIG-IP takeover flaw, post-deadline attack cases and permanent fix [CVE-2025-53521]
• → Five top-class vulnerabilities in UniFi gear, internal communications exposed without authentication
• → Three serious vulnerabilities in Gladinet Triofox, enterprise file sharing at risk
• → Unauthenticated takeover flaw in Drupal sites, US government orders a fix by May 27
• → SharePoint's deadline is tomorrow, Cisco can be hijacked without authentication: two urgent CVEs

Serious vulnerabilities found in business web apps (recruiting, help desk, login infrastructure)

Finally, the business web apps that HR and IT teams use daily. They are behind-the-scenes systems that rarely show up in the spotlight, yet they handle data with large impact when leaked, such as job applicants' personal information and employees' login credentials.

In the help-desk product "OTRS," the SQL injection vulnerability CVE-2026-48188 was disclosed, which under certain configurations could allow intrusion without authentication. In the recruiting product "OpenCATS," CVE-2026-49489 was flagged as risking the leak of applicant data. Since this system holds large volumes of applicants' personal information, the impact of a leak is far from small.

In "Casdoor," a single sign-on platform (a mechanism that lets you use multiple services with one login) that consolidates logins to various in-house services, nine authentication-bypass vulnerabilities were disclosed (CVE-2026-9090 and others). If the foundation of logins is breached, the impact reaches every connected business system. Care is needed, including the fact that no fixed version was available at the time of disclosure.

• → Intrusion flaw in OTRS help desk CVE-2026-48188, no authentication under certain configurations
• → Vulnerability in OpenCATS recruiting software, risk of applicant data leak CVE-2026-49489
• → Nine authentication-bypass holes in Casdoor login platform CVE-2026-9090 and others, no fix available

First-half 2026 key cases at a glance

Here is a list of the cases covered above. The "Exploited" column indicates whether the item is on CISA's list of vulnerabilities actually being used in attacks (KEV). Scroll horizontally to see the full table.

For the exact CVSS scores, affected versions and fixed-version numbers of each case, always check the individual articles above, each vendor's official advisory, and JVN.

Trends seen across the first half of 2026 (the author's view)

From here on, this is not a recap of facts but what the author felt after lining up the cases of the first half. Please read it as a personal opinion.

In the author's view, what stood out most this half-year was the sheer number of vulnerabilities of the "authentication can be bypassed" or "no authentication needed at all" type. F5 BIG-IP, Drupal, SharePoint, Cisco FMC, Gladinet Triofox, Casdoor, OTRS. The categories are all over the place, yet they share the trait that the authentication meant to stop attackers at the door simply does not work. From an attacker's point of view, there were that many entry points where the first step can be taken without any ID or password.

The next thing I felt is that, regardless of whether a product is domestic or overseas, the closer it is to the core, the more it gets targeted. Fujitsu's server management, IBM's application platform and file transfer, Oracle's core systems, and Casdoor that consolidates logins. All of these are places where "if you take this, it is easy to spread sideways." If you are hardening your defenses, I believe you should prioritize starting from these foundational parts.

One more thing that caught my attention is that products with no fix available at disclosure time, or with thinning support, tend to be left unpatched. Some cases, like Casdoor, were disclosed without a fixed version, and others, like Aterm, have so many units that updates do not reach everywhere. The troubling part is that attackers precisely target this gap of "want to fix it but cannot" and "forgot to fix it."

To sum up, the threats this half-year were concentrated less in flashy new techniques and more in long-standing weak points: "entry-point authentication," "the core foundation," and "neglected, unpatched devices." That is the author's read. Conversely, it means the direction of defense can be narrowed down to exactly those.

What IT teams should check right now

Given the trends of the first half, what to check comes down to four things. Rather than bracing yourself comprehensively, it is more practical to start where it has the most effect.

The first is taking inventory of assets. Of the products in the quick-reference table, which ones does your company use? It is essential first to know where your internet-facing devices are (VPN, file sharing, CMS, in-house portals) and where the platform that consolidates logins sits. If you do not know what you have, you cannot know what to fix.

The second is subscribing to information sources. Subscribe to JVN and JPCERT/CC alerts, and set up a way to catch items relevant to your own products as they come in. Together with that, checking what is already being used in attacks via CISA's KEV makes it easier to set priorities.

The third is identifying end-of-support products. Devices and software whose support has ended get no fixed version even when a new vulnerability appears. Even this half-year, the trend of neglected products being targeted was visible. If you keep using them, additional measures such as isolating them from the network are required.

The fourth is how you set priorities. You cannot fix everything at once. The basic approach is to start with items where all three apply: "is it directly reachable from the internet," "can it be exploited without authentication," and "is it already being attacked (on KEV)." For this half-year, KEV-listed cases such as F5 BIG-IP, Drupal, and SharePoint / Cisco FMC take top priority.

We also provide a helper tool to make daily checks routine. It is a scanner that lets you check vulnerabilities just by pasting the dependencies of the open-source software (OSS) you use in-house.

• → [Free] OSS vulnerability scanner | Paste your npm/Python dependencies for an instant check
• → Check actively exploited vulnerabilities on the CISA KEV dashboard

Frequently asked questions

References

• ・JVN (Japan Vulnerability Notes)
• ・JVN iPedia (vulnerability countermeasure database)
• ・JPCERT/CC Alerts
• ・IPA JVN iPedia registration status, Q1 2026
• ・CISA Known Exploited Vulnerabilities Catalog (KEV)
• ・NVD CVE Detail (per-CVE details)