NEC Aterm Routers Hit With Two New Vulnerabilities — Nine Home Wi-Fi Models and Two LTE Routers Affected

Two months after the NV26-001 wave, NEC ships another Aterm patch round

On May 25, 2026, NEC Platforms disclosed two more vulnerabilities in its consumer Wi-Fi router line "Aterm" and shipped fixed firmware for both. The first is a cross-site scripting flaw, JVN#69049186 (NV26-002, CVE-2026-6059), affecting nine home Wi-Fi 6 / 6E / 7 models. The second is an OS command injection, JVN#80890147 (NV26-003, CVE-2026-8652), affecting two business-grade LTE routers.

Cross-site scripting (XSS) is the classic web attack where an attacker tricks a target's browser into running JavaScript inside a trusted site. On a home router, the trusted site is the management UI — Aterm calls it "Quick Web Setup" — and a successful XSS while the administrator is logged in can quietly rewrite Wi-Fi passwords or steal an active admin session. OS command injection is more direct: a crafted value sent through the management UI or its setting APIs causes the router's OS to execute attacker-supplied commands, which is the foundation for full device takeover.

Neither advisory publishes a CVSS score, so there is no headline severity number. What changes the picture is reading these two against the much larger NV26-001 wave from March 2026 — 21 affected models, five CVEs covering access-control bypass, path traversal, two OS command injections, and an undocumented telnet-enable backdoor (CVE-2026-4621). The 21-model bulletin was the largest single Aterm disclosure on record, and the new May 25 pair clearly targets a different slice of the line: NV26-002 hits the newer Wi-Fi 6 / 6E / 7 SKUs that were not covered by NV26-001, while NV26-003 picks up a business-grade LTE line that sits outside the consumer range entirely.

In what follows, the two flaws are explained one at a time, the full list of 11 affected models is laid out with target firmware versions, the timeline from NV26-001 through today's disclosure is reconstructed, and the practical steps for both home users and IT staff are written out. The audience this article assumes is split between "I don't know whether my home Aterm is on the list" consumers and IT teams running fleet Aterm LTE routers across multiple branches.

NV26-002: nine Wi-Fi 6 / 6E / 7 models carry a stored XSS

NV26-002 lands on the newer half of the Aterm line. JVN#69049186 lists the Wi-Fi 6 mainstays WX1800HP / WX3000HP2 / WX4200D5, the Wi-Fi 6E WX5400HP, the Wi-Fi 7 flagships WX7800T8 / WX11000T12, the business OEM models GX621A1 / SH621A1, and the branch-office 19000T12BE — nine models in total, covering most of what currently sits on the "Aterm WX" shelf in Japanese electronics stores.

JVN's description is brief: "the user's browser may execute arbitrary scripts when accessing the product's web management screen." That points to a missing escape somewhere in the admin UI output — either a stored value the attacker can pre-seed, or a reflected parameter that triggers when the admin clicks a crafted link. It is a textbook flaw, the kind OWASP has tracked at the top of its web-app risk lists for over a decade.

"Why would anyone be able to exploit a router XSS from outside?" is the natural reaction, and that is the wrong question. The realistic attack scenarios for consumer routers have hardened over the past few years: malware on a PC or phone inside the LAN pre-seeds the malicious value through the admin UI, the attacker hijacks an admin session and rewrites DNS to point the entire household at phishing pages, the foothold is then used to flip firmware or settings. For an attacker, capturing the home router means visibility into every device on the network — a high-value, low-cost target.

NV26-003: OS command injection on two business LTE routers

NV26-003 is narrower. It affects two business LTE routers — MR51FN (versions earlier than 3.4.0) and CM51FD (versions earlier than 1.2.0). These are not household products. They show up in retail point-of-sale connectivity, remote monitoring at unmanned facilities, and the temporary site offices that construction projects throw up when fiber is not available. Japanese enterprises run plenty of them at the branch and field level.

JVN#80890147 notes that exploitation requires the attacker to be "logged in as administrator to the web console." That sounds like a high bar, until you remember how business LTE routers actually live: shipped with default credentials, deployed by an outside installer, then sitting in a closet or a roadside cabinet for years without anyone changing the password. Insider threats (a current employee at the desk, a cleaning contractor with brief physical access, a visiting customer plugging into the same Wi-Fi) get into that console more easily than enterprise security thinking usually accepts. From there, OS command injection unlocks full takeover.

Fixed versions ship as MR51FN 3.4.0 and CM51FD 1.2.0. Because these are business products, they do not get the consumer-style "the box updates itself overnight" path. IT teams have to push firmware out to each branch, which is exactly where the disclosure tends to fall through the cracks — the older the deployment, the more likely the device list has not been touched in years. A fresh inventory review is the right response.

All 11 affected models and their fixed firmware

The following table consolidates the affected models, vulnerable version ranges, and fixed firmware for both NV26-002 and NV26-003. Pull out the Aterm from under the desk or off the wall, find the model number on the label, and check it against this list.

On the consumer side, WX5400HP, WX7800T8 and WX11000T12 see the most movement at retail — they are the default "you should upgrade to Wi-Fi 6E / 7" recommendation in Japanese electronics stores. Anyone who refreshed their home Wi-Fi in the past two or three years is statistically likely to own one of these three. Pulling the router off the shelf and reading the model label is the fastest first step.

2026 in Aterm vulnerabilities, in chronological order

NV26-002 / NV26-003 are easier to read as the second wave of a sequence that started with NV26-001 in March, rather than standalone events. Putting the 2026 Aterm timeline in one place:

← swipe to navigate

NV26-001 in March covered 21 models and pulled nine of them into end-of-life with no fixed firmware — effectively a generation-change signal across the Aterm range. Two months later, the newer generation (Wi-Fi 6 / 6E / 7) takes a hit through a different class of flaw. Read together, the sequence shows external researchers committing serious time to Aterm. NV26-002 was reported by Tokuaki Iwasaki of Cyber Defense Institute; NV26-003 by So Kato of Mitsui Bussan Secure Directions — both well-known Japanese security research teams.

JVN (Japan Vulnerability Notes) pushed the two advisories out at the same time. The @jvnjp account posted them about a minute apart, so anyone watching the feed picked them up as a pair.

"Admin access required" is not the safety net it sounds like

Both NV26-002 and NV26-003 need admin-side access to the management UI to actually fire. On paper that does sound less alarming than a bug that gets you in from the open internet. In practice, the "we're only exposed on the LAN" reading misses how many people can already reach a home or branch router's admin UI.

Routers still on default credentials are open to any device on the LAN — the guest's phone, a delivery driver's PC, an IoT appliance that got popped. Rental apartments with bundled routers, condominium shared Wi-Fi, retail employee Wi-Fi: the boundary of "LAN" is much fuzzier than it looks. On the corporate side, malware on a work laptop becomes a stepping stone to the home router behind it.

Once a router is taken, the consequences are well documented. DNS gets rewritten so even a correctly typed bank URL ends at a phishing page; firmware gets reflashed with persistent malware; the device gets joined to a botnet attacking other targets. DNS-flip phishing is particularly hard to spot from the user side, which is why Japan's IPA keeps issuing reminders about home router hygiene year after year.

"Authentication required" is a real mitigation, but it is also the line of defense that breaks down first in homes and small offices. That is why NV26-002 / NV26-003 are not safe to ignore on auth-requirement grounds. Patching the firmware is still the cheapest and most reliable response.

What to do with your Aterm

The action is simple: if you own one of the affected models, update to the fixed firmware. Aterm devices generally update through the "Quick Web Setup" management UI. Newer models (WX5400HP, WX7800T8, WX11000T12) can also update through the Aterm Search Tool or the Aterm smart remote app.

For home users: from a device connected to the Aterm, open http://aterm.me/ or http://192.168.10.1/ in the browser (the exact address depends on connection mode). Log in with the admin user "admin" and the Web password printed on the bottom of the device. From the left menu choose "Maintenance" → "Firmware Update," tap "Check for latest version," and if the table above shows a newer version available, apply it. The router reboots during the update, so it's worth telling the household Wi-Fi will drop for a few minutes.

For business LTE routers MR51FN and CM51FD, IT teams pull firmware images from the NEC Group Product Security per-model pages and push them to each branch. If you have these deployed at multiple sites, a per-site firmware-version inventory is the right output of this disclosure — otherwise some sites will be missed.

Note that many Aterm units in the field were bought several years ago. If your model label shows one of the 21 models from NV26-001 (such as WG1200HP2, WG1900HP, WG1800HP3, WG2600HP3), use this moment to also recheck JVN#89339669 and whether fixed firmware exists for your model. For the 9 end-of-life models on that list, the right answer is replacement, not patching.

How people responded

When JVN pushed NV26-002 / NV26-003 around lunchtime on May 25, the Japanese-language SNS reaction was consistent: "a lot of models on the list" and "Aterm again." Mobile-tech outlet Ketai Watch called out the breadth of the affected list immediately after the disclosure, and because 9 of the 11 affected SKUs are consumer-grade, the story carried beyond the security community.

Home users posted "mine's on the list" and "two months after the March round, again?" The memory of NV26-001's 21-model bulletin is still fresh, so for owners who just bought a new Aterm the back-to-back disclosures hit harder than the technical severity would suggest. The procedural side — coordinated JVN release with same-day firmware — drew positive notes from those tracking the disclosure handling itself.

What is actually happening to Aterm in 2026

Aterm is one of Japan's default consumer Wi-Fi brands — the one bundled with new condo ISP packages, the one labeled "if in doubt, buy this" in retail stores. Which is exactly why a March 21-model bulletin followed by a May 11-model bulletin sits uncomfortably with owners.

The other way to read the sequence is more constructive: external researchers are spending real time on Aterm, and what they find ends up disclosed and patched. The same flaws were almost certainly there before, just not reported. In that frame, 2026 is when Aterm enters its "audit and refresh" phase. What owners can do is mechanical — check the model, apply the firmware, replace the end-of-life units, never leave the admin password at default.

More disclosures targeting model lines that NV26-001 missed, or different branches of the business product range, are realistic over the next one or two months. Keeping NEC's security information page and the JVN feed in your reader catches the next round when it lands. This article will be updated when that happens.

References

• ・JVN#69049186: Cross-Site Scripting in NEC Aterm Series (NV26-002)
• ・JVN#80890147: OS Command Injection in NEC Aterm Series (NV26-003)
• ・JVN#89339669: Multiple Vulnerabilities in NEC Aterm Series (NV26-001)
• ・NVD - CVE-2026-6059
• ・NVD - CVE-2026-8652
• ・NVD - CVE-2026-4621 (NV26-001 telnet backdoor)
• ・NEC Group Product Security Information
• ・IPA: Safe home internet use guidance