Critical Flaws in Alcatel-Lucent OmniAccess Stellar WLAN APs Allow Full Remote Takeover, PoC Releases

In a recently disclosure, ALE (Alcatel-Lucent Enterprise) has published a security advisory (SA-N0150) addressing multiple critical vulnerabilities in its OmniAccess Stellar WLAN Access Points, affecting popular models such as AP1100, AP1200, AP1300, AP1400, and AP1500. These flaws—collectively tracked as CVE-2025-52687, CVE-2025-52688, CVE-2025-52689, and CVE-2025-52690—can enable remote attackers to take full control, execute arbitrary code, and bypass authentication without any user interaction.

CVE-2025-52687 (CVSS 9.8): JavaScript and Command Injection in Web UI

This CVE identifier is used for two distinct flaws:

• JavaScript Injection: “Incorrect checking of the text field in payloads input through the WebUI… allows an attacker with administrator credentials to improperly inject JavaScript.” Once embedded, these scripts are executed in other users’ sessions, risking session hijacking and denial-of-service attacks.
• Command Injection via JSON: More critically, an unauthenticated attacker can exploit flaws in the JSON processing of the WebUI to run commands as root, potentially gaining complete control over the access point.

CVE-2025-52688 (CVSS 9.6): Web Login Command Injection

This vulnerability affects the Alcatel AP1361D running firmware 4.0.4 and permits unauthenticated command injection during the login process.

“By including special characters such as ; in the username, an unauthenticated attacker can execute arbitrary commands with root privileges on the device.”

The issue stems from direct interpolation of unsanitized user input into system commands—a textbook command injection vulnerability. A working Proof-of-Concept (PoC) has been publicly released, increasing the urgency for patching.

CVE-2025-52689 (CVSS 9.8): Session ID Forgery via Hardcoded API Key

Another severe flaw exists in how API session IDs are generated using a hardcoded key. This enables attackers to forge login requests and gain admin-level access without credentials.

“This vulnerability could allow an attacker to craft a payload such that /api/login accepts the spoofed login request and returns a valid session ID with administrator privilege.”

CVE-2025-52690 (CVSS 8.1): Cluster Service UDP Injection

The cluster_cor service, which handles AP clustering over UDP port 32769, fails to sanitize inputs, allowing attackers to inject commands via binary packets.

“Improper checking of the packets received… allows an attacker to execute arbitrary commands as root… resulting in a loss of confidentiality, integrity, availability, and full control.”

Notably, this vulnerability can also be exploited without authentication, and a PoC for it exists as well.

Mitigation and Fix

ALE has released AWOS 5.0.2MR1 to address all identified vulnerabilities. Users are strongly advised to upgrade and disable the standalone WebUI, opting instead for centralized management via OmniVista in Enterprise Mode.

Related Posts:

• MediaTek’s April 2025 Security Bulletin: Critical WLAN Vulnerability Exposes Chipsets
• MediaTek July 2025 Security Bulletin: Heap Overflows, WLAN Flaws, and Bluetooth Risks Threaten Billions of Devices
• MediaTek’s February 2025 Security Bulletin: Critical WLAN Vulnerabilities Expose Millions to Remote Attacks