Vulnerability-Lookup

CVE-2025-53842 (GCVE-0-2025-53842)

Vulnerability from cvelistv5 – Published: 2025-07-16 04:30 – Updated: 2025-07-18 14:47

Summary

Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838.

Severity ?

4.5 (Medium)


                        
                          CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.8 (Medium)


                        
                          CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-798 - Use of hard-coded credentials

Assigner

jpcert

References

URL

Tags

	https://zexelon.co.jp/pdf/jvn44419726.pdf
	https://jvn.jp/en/jp/JVN44419726/
	https://www.cve.org/CVERecord?id=CVE-2024-39838

Impacted products

Vendor

Product

Version

ZEXELON CO., LTD.

ZWX-2000CSW2-HN

Affected: prior to 0.3.19

ZEXELON CO., LTD.

ZWX-2000CS2-HN

Affected: all versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53842",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-18T14:47:02.598589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-18T14:47:09.380Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ZWX-2000CSW2-HN",
          "vendor": "ZEXELON CO., LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 0.3.19"
            }
          ]
        },
        {
          "product": "ZWX-2000CS2-HN",
          "vendor": "ZEXELON CO., LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "Use of hard-coded credentials",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-16T04:30:36.624Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://zexelon.co.jp/pdf/jvn44419726.pdf"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN44419726/"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-39838"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2025-53842",
    "datePublished": "2025-07-16T04:30:36.624Z",
    "dateReserved": "2025-07-10T01:58:07.983Z",
    "dateUpdated": "2025-07-18T14:47:09.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53842\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-18T14:47:02.598589Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-18T14:47:06.400Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 4.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"ZEXELON CO., LTD.\", \"product\": \"ZWX-2000CSW2-HN\", \"versions\": [{\"status\": \"affected\", \"version\": \"prior to 0.3.19\"}]}, {\"vendor\": \"ZEXELON CO., LTD.\", \"product\": \"ZWX-2000CS2-HN\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}]}], \"references\": [{\"url\": \"https://zexelon.co.jp/pdf/jvn44419726.pdf\"}, {\"url\": \"https://jvn.jp/en/jp/JVN44419726/\"}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-39838\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"Use of hard-coded credentials\"}]}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2025-07-16T04:30:36.624Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53842\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-18T14:47:09.380Z\", \"dateReserved\": \"2025-07-10T01:58:07.983Z\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"datePublished\": \"2025-07-16T04:30:36.624Z\", \"assignerShortName\": \"jpcert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-53842

Vulnerability from fkie_nvd - Published: 2025-07-16 05:15 - Updated: 2025-07-16 14:58

Severity ?

4.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN44419726/
	vultures@jpcert.or.jp	https://www.cve.org/CVERecord?id=CVE-2024-39838
	vultures@jpcert.or.jp	https://zexelon.co.jp/pdf/jvn44419726.pdf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838."
    },
    {
      "lang": "es",
      "value": "Existe un problema de uso de credenciales codificadas en ZWX-2000CSW2-HN anteriores a la versi\u00f3n 0.3.19 y en todas las versiones del firmware. Si se explota esta vulnerabilidad, un atacante podr\u00eda manipular la configuraci\u00f3n del dispositivo obteniendo las credenciales. Esta vulnerabilidad se debe a una correcci\u00f3n insuficiente para CVE-2024-39838."
    }
  ],
  "id": "CVE-2025-53842",
  "lastModified": "2025-07-16T14:58:59.837",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 3.6,
        "source": "vultures@jpcert.or.jp",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "ADJACENT",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "vultures@jpcert.or.jp",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-16T05:15:33.900",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "url": "https://jvn.jp/en/jp/JVN44419726/"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39838"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "url": "https://zexelon.co.jp/pdf/jvn44419726.pdf"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "vultures@jpcert.or.jp",
      "type": "Secondary"
    }
  ]
}

JVNDB-2025-000049

Vulnerability from jvndb - Published: 2025-07-16 13:54 - Updated:2025-07-16 13:54

Severity ?

4.5 (Medium) - cvssV3_0 - CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

ZWX-2000CSW2-HN and ZWX-2000CS2-HN vulnerable to use of hard-coded credentials

Details

ZWX-2000CSW2-HN and ZWX-2000CS2-HN provided by ZEXELON CO., LTD. contain the following vulnerability. * Use of Hard-coded Credentials (CWE-798) - CVE-2025-53842 This vulnerability is caused by an insufficient fix for CVE-2024-39838 (JVN#70666401). Hiroki Sato of Institute of Science Tokyo reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN70666401/
	JVN	https://jvn.jp/en/jp/JVN44419726/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-53842
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

	ZEXELON CO., LTD.	ZWX-2000CS2-HN
	ZEXELON CO., LTD.	ZWX-2000CS2-HN
	ZEXELON CO., LTD.	ZWX-2000CSW2-HN
	ZEXELON CO., LTD.	ZWX-2000CSW2-HN
	ZEXELON CO., LTD.	ZWX-2000CSW2-HN

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000049.html",
  "dc:date": "2025-07-16T13:54+09:00",
  "dcterms:issued": "2025-07-16T13:54+09:00",
  "dcterms:modified": "2025-07-16T13:54+09:00",
  "description": "ZWX-2000CSW2-HN and ZWX-2000CS2-HN provided by ZEXELON CO., LTD. contain the following vulnerability.\r\n\r\n* Use of Hard-coded Credentials (CWE-798) - CVE-2025-53842\r\n\r\nThis vulnerability is caused by an insufficient fix for CVE-2024-39838 (\u003ca href=\"https://jvn.jp/en/jp/JVN70666401/\"target=\"blank\"\u003eJVN#70666401\u003c/a\u003e).\r\n\r\nHiroki Sato of Institute of Science Tokyo reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000049.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:misc:zexelon_zwx-2000cs2-hn",
      "@product": "ZWX-2000CS2-HN",
      "@vendor": "ZEXELON CO., LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:misc:zexelon_zwx-2000cs2-hn",
      "@product": "ZWX-2000CS2-HN",
      "@vendor": "ZEXELON CO., LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:misc:zexelon_zwx-2000csw2-hn",
      "@product": "ZWX-2000CSW2-HN",
      "@vendor": "ZEXELON CO., LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:misc:zexelon_zwx-2000csw2-hn",
      "@product": "ZWX-2000CSW2-HN",
      "@vendor": "ZEXELON CO., LTD.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:misc:zexelon_zwx-2000csw2-hn",
      "@product": "ZWX-2000CSW2-HN",
      "@vendor": "ZEXELON CO., LTD.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "4.5",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2025-000049",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN70666401/",
      "@id": "JVN#70666401",
      "@source": "JVN"
    },
    {
      "#text": "https://jvn.jp/en/jp/JVN44419726/index.html",
      "@id": "JVN#44419726",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-53842",
      "@id": "CVE-2025-53842",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "ZWX-2000CSW2-HN and ZWX-2000CS2-HN vulnerable to use of hard-coded credentials"
}

GHSA-8F24-HH72-5GF6

Vulnerability from github – Published: 2025-07-16 06:30 – Updated: 2025-07-16 06:30

Details

Severity ?

4.5 (Medium)


                  
                    CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.8 (Medium)


                  
                    CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-53842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-16T05:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838.",
  "id": "GHSA-8f24-hh72-5gf6",
  "modified": "2025-07-16T06:30:29Z",
  "published": "2025-07-16T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53842"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN44419726"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39838"
    },
    {
      "type": "WEB",
      "url": "https://zexelon.co.jp/pdf/jvn44419726.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-53842 (GCVE-0-2025-53842)

FKIE_CVE-2025-53842

JVNDB-2025-000049

GHSA-8F24-HH72-5GF6

Tags

Sightings

Nomenclature