CVE-2026-4621 Overview
CVE-2026-4621 is a hidden functionality vulnerability affecting the NEC Aterm series of consumer and small-business wireless routers. The flaw allows an unauthenticated attacker to enable the telnet service on an affected device over the network. Once telnet is enabled, attackers gain a legacy management channel that transmits credentials and commands in cleartext. The issue is tracked under CWE-912: Hidden Functionality and was published by NEC in security advisory NV26-001.
Critical Impact
A remote attacker can activate an undocumented telnet service on more than 20 NEC Aterm router models, exposing administrative access and enabling further compromise of the device and connected network.
Affected Products
- NEC Aterm WG1200HP4, WG1200HP3, WG1200HP2, WG1200HS4, WG1200HS3, WG1200HS2, WG1200CR (firmware)
- NEC Aterm WG2600HP4, WG2600HM4, WG2600HS2, WG2600HS, WG1900HP2, WG1900HP, WG1800HP4, WG1800HP3 (firmware)
- NEC Aterm WX3600HP, WX3000HP2, WX3000HP, WX1500HP, WF1200CR, W1200EX-MS (firmware)
Discovery Timeline
- 2026-03-27 - CVE-2026-4621 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-4621
Vulnerability Analysis
The vulnerability arises from hidden functionality embedded in the Aterm firmware. The firmware contains a code path that enables the telnet daemon when triggered through a network-reachable interface. This functionality is not documented in user-facing administration guides and is not exposed through the standard web management UI.
Telnet operates in cleartext on TCP/23. Once activated, an attacker on the same network segment, or one able to reach the device's WAN-facing services, can attempt authentication against the telnet listener. Successful access grants a command shell on the embedded Linux-based device, depending on the model. NEC has confirmed the issue across the broad Aterm consumer product line listed in advisory NV26-001.
Root Cause
The root cause is the inclusion of an undocumented activation mechanism for the telnet service within shipped firmware images. Under [CWE-912], this represents functionality that bypasses the documented security boundary of the device. The web-based administration model assumes telnet is disabled, yet a network-accessible trigger overrides that assumption without administrator consent.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction, though the CVSS metrics indicate high attack complexity. An attacker reaches the trigger interface over the network, sends the activation request, and then connects to the newly opened telnet port. From that point the attacker can attempt credential attacks, leverage default or weak credentials, or stage follow-on actions such as DNS hijacking, configuration tampering, or use of the router as a pivot.
No public proof-of-concept code is available. Refer to the NEC Security Advisory NV26-001 for vendor technical details and firmware fix information.
Detection Methods for CVE-2026-4621
Indicators of Compromise
- Unexpected TCP/23 (telnet) listener observed on an Aterm router's LAN or WAN interface.
- Outbound or inbound telnet sessions in firewall and NetFlow logs originating from or terminating at router management IPs.
- Configuration changes on the router (DNS servers, port forwarding, admin credentials) with no corresponding administrator action.
- Unrecognized requests to non-standard router HTTP endpoints preceding telnet activation.
Detection Strategies
- Run periodic internal network scans for TCP/23 exposure on subnets containing Aterm devices and alert on any positive results.
- Inspect router syslog or remote logging for service start events referencing telnetd or equivalent processes.
- Correlate router configuration changes with authenticated administrative sessions to identify out-of-band modifications.
Monitoring Recommendations
- Forward router logs to a centralized logging or SIEM platform and create alerts for telnet-related events.
- Monitor north-south and east-west traffic for cleartext telnet protocol signatures using IDS/IPS rules.
- Track firmware version inventory for all Aterm devices and flag any model still running pre-fix firmware listed in NV26-001.
How to Mitigate CVE-2026-4621
Immediate Actions Required
- Apply the firmware update published by NEC for each affected Aterm model as documented in advisory NV26-001.
- Block inbound TCP/23 at perimeter firewalls and on any upstream ISP-managed gateway.
- Restrict router administrative interfaces to trusted management VLANs only and disable WAN-side management.
- Rotate administrative credentials on all Aterm devices after patching, since prior exposure cannot be ruled out.
Patch Information
NEC has published fixed firmware versions for the impacted Aterm models. Consult the NEC Security Advisory NV26-001 for the authoritative list of fixed firmware versions and download links per model. Devices that have reached end-of-support should be replaced with currently supported hardware.
Workarounds
- Place Aterm routers behind an upstream firewall that drops unsolicited inbound connections to the device's management ports.
- Segment IoT and management networks so a compromised router cannot directly reach sensitive internal systems.
- Disable remote management features and limit configuration access to wired LAN clients until firmware can be applied.
# Example: block telnet at an upstream Linux gateway using nftables
nft add rule inet filter forward tcp dport 23 drop
nft add rule inet filter input tcp dport 23 drop
# Example: verify no Aterm device on 192.0.2.0/24 exposes telnet
nmap -p 23 --open 192.0.2.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
