Inaba Denki Sangyo Wi-Fi AP Units Affected by Critical Vulnerabilities

A recent security advisory from JPCERT/CC has highlighted multiple vulnerabilities in Inaba Denki Sangyo Co., Ltd.’s Wi-Fi AP UNIT ‘AC-WPS-11ac series’. These vulnerabilities affect several models within the series, posing a risk to the security and integrity of networks using these devices.

According to the advisory, eight distinct vulnerabilities affect several models within the AC-WPS-11ac family, including the AC-WPS-11ac, AC-WPSM-11ac, and AC-PD-WPS-11ac lines—all running firmware version v2.0.03P or earlier. Notably, two of the most severe flaws allow for remote command execution:

• CVE-2025-25053 and CVE-2025-27797 are both command injection vulnerabilities, scoring 8.8 and 9.8 respectively on the CVSS v3.1 scale. JPCERT/CC warns that, “An arbitrary OS command may be executed by a remote attacker who can log in to the product.”

These flaws essentially grant attackers the ability to execute commands on the underlying operating system, possibly leading to full device compromise.

Another serious issue is CVE-2025-29870, which was rated 7.5 and involves missing authentication for critical functions. This could allow an unauthenticated attacker to gain unauthorized access to configuration data, including sensitive credentials. “A remote unauthenticated attacker may obtain the product configuration information including authentication information,” the report states.

While some vulnerabilities are less severe, their exploitation in concert could facilitate lateral movement or privilege escalation:

• CVE-2025-23407 (CVSS 4.3) – Incorrect privilege assignment in the web UI
• CVE-2025-25056 (CVSS 4.3) – Cross-site request forgery (CSRF)
• CVE-2025-25213 (CVSS 6.5) – Improper frame/UI layer restrictions
• CVE-2025-27722 (CVSS 5.9) – Cleartext transmission of sensitive information
• CVE-2025-27934 (CVSS 7.5) – Authentication information disclosure in a specific service

The CSRF and UI rendering vulnerabilities open the door for social engineering attacks, particularly when users are logged into the device’s admin panel and inadvertently trigger malicious requests by viewing compromised web pages.

JPCERT/CC strongly advises administrators to update to firmware version v2.0.06.13P, which addresses all identified vulnerabilities. Affected models include:

• AC-WPS-11ac / -P
• AC-WPSM-11ac / -P
• AC-PD-WPS-11ac / -P

Additionally, Inaba Denki Sangyo recommends applying supplementary workarounds to reinforce device security.

While these devices may be used primarily in specialized industrial or enterprise contexts, the implications of these vulnerabilities are broad—especially considering the risk of unauthorized network access and sensitive data leakage. Organizations utilizing the AC-WPS-11ac series should immediately update firmware and audit device configurations to mitigate potential exposure.

Related Posts:

• JPCERT/CC Warns: MirrorFace LODEINFO & NOOPDOOR Malware Targeting Industry
• HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points
• Ruckus Networks Issues Security Advisory for Critical RCE Vulnerability in Access Points
• I-O DATA Routers Under Attack: Urgent Firmware Update Needed!
• CVE-2025-20055 (CVSS 9.8): Critical Vulnerability Threatens STEALTHONE Storage