Search
Find a vulnerability
Search criteria
17 vulnerabilities by Rakuten Mobile, Inc.
CVE-2024-52033 (GCVE-0-2024-52033)
Vulnerability from nvd – Published: 2024-11-20 07:29 – Updated: 2024-11-20 15:05
VLAI
Summary
Exposure of sensitive system information to an unauthorized control sphere issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may obtain information of the other devices connected through the Wi-Fi.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-497 - Exposure of sensitive system information to an unauthorized control sphere
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Turbo 5G |
Affected:
V1.3.18 and earlier
|
|
| rakuten | turbo_5g_firmware |
Affected:
0 , ≤ 1.3.18
(custom)
cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "turbo_5g_firmware",
"vendor": "rakuten",
"versions": [
{
"lessThanOrEqual": "1.3.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:00:34.400424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:05:53.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Turbo 5G",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "V1.3.18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of sensitive system information to an unauthorized control sphere issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may obtain information of the other devices connected through the Wi-Fi."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "Exposure of sensitive system information to an unauthorized control sphere",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T07:29:44.727Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://network.mobile.rakuten.co.jp/internet/turbo/information/news/3184/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90667116/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-52033",
"datePublished": "2024-11-20T07:29:44.727Z",
"dateReserved": "2024-11-05T02:54:13.731Z",
"dateUpdated": "2024-11-20T15:05:53.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48895 (GCVE-0-2024-48895)
Vulnerability from nvd – Published: 2024-11-20 07:30 – Updated: 2024-11-20 15:16
VLAI
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote authenticated attacker may execute an arbitrary OS command.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Turbo 5G |
Affected:
V1.3.18 and earlier
|
|
| rakuten | turbo_5g_firmware |
Affected:
0 , ≤ 1.3.18
(custom)
cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "turbo_5g_firmware",
"vendor": "rakuten",
"versions": [
{
"lessThanOrEqual": "1.3.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:00:28.074293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:16:26.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Turbo 5G",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "V1.3.18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote authenticated attacker may execute an arbitrary OS command."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T07:30:10.357Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://network.mobile.rakuten.co.jp/internet/turbo/information/news/3184/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90667116/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-48895",
"datePublished": "2024-11-20T07:30:10.357Z",
"dateReserved": "2024-11-05T02:54:12.661Z",
"dateUpdated": "2024-11-20T15:16:26.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47865 (GCVE-0-2024-47865)
Vulnerability from nvd – Published: 2024-11-20 07:30 – Updated: 2024-11-20 15:16
VLAI
Summary
Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Turbo 5G |
Affected:
V1.3.18 and earlier
|
|
| rakuten | turbo_5g_firmware |
Affected:
0 , ≤ 1.3.18
(custom)
cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "turbo_5g_firmware",
"vendor": "rakuten",
"versions": [
{
"lessThanOrEqual": "1.3.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:00:21.866202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:16:26.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Turbo 5G",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "V1.3.18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T07:30:35.780Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://network.mobile.rakuten.co.jp/internet/turbo/information/news/3184/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90667116/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-47865",
"datePublished": "2024-11-20T07:30:35.780Z",
"dateReserved": "2024-11-05T02:54:11.800Z",
"dateUpdated": "2024-11-20T15:16:26.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40282 (GCVE-0-2023-40282)
Vulnerability from nvd – Published: 2023-08-23 03:16 – Updated: 2025-07-01 14:01 Unsupported When Assigned
VLAI
Summary
Improper authentication vulnerability in Rakuten WiFi Pocket all versions allows a network-adjacent attacker to log in to the product's Management Screen. As a result, sensitive information may be obtained and/or the settings may be changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper authentication
- CWE-287 - Improper Authentication
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten WiFi Pocket |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://network.mobile.rakuten.co.jp/product/internet/rakuten-wifi-pocket/support/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN55217369/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-40282",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-17T03:09:42.399512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T14:01:12.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rakuten WiFi Pocket",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authentication vulnerability in Rakuten WiFi Pocket all versions allows a network-adjacent attacker to log in to the product\u0027s Management Screen. As a result, sensitive information may be obtained and/or the settings may be changed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T03:16:56.417Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://network.mobile.rakuten.co.jp/product/internet/rakuten-wifi-pocket/support/"
},
{
"url": "https://jvn.jp/en/jp/JVN55217369/"
}
],
"tags": [
"unsupported-when-assigned"
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-40282",
"datePublished": "2023-08-23T03:16:56.417Z",
"dateReserved": "2023-08-14T01:52:11.134Z",
"dateUpdated": "2025-07-01T14:01:12.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29525 (GCVE-0-2022-29525)
Vulnerability from nvd – Published: 2022-06-13 04:50 – Updated: 2024-08-03 06:26
VLAI
Summary
Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation.
Severity
No CVSS data available.
CWE
- Use of Hard-coded credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://network.mobile.rakuten.co.jp/information/… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN46892984/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Casa |
Affected:
version AP_F_V1_4_1 or AP_F_V2_0_0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Casa",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use of Hard-coded credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T04:50:33.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-29525",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rakuten Casa",
"version": {
"version_data": [
{
"version_value": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
}
]
},
"vendor_name": "Rakuten Mobile, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use of Hard-coded credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://network.mobile.rakuten.co.jp/information/news/product/1033/",
"refsource": "MISC",
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"name": "https://jvn.jp/en/jp/JVN46892984/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-29525",
"datePublished": "2022-06-13T04:50:33.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:26:05.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28704 (GCVE-0-2022-28704)
Vulnerability from nvd – Published: 2022-06-13 04:50 – Updated: 2024-08-03 06:03
VLAI
Summary
Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings.
Severity
No CVSS data available.
CWE
- Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://network.mobile.rakuten.co.jp/information/… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN46892984/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Casa |
Affected:
version AP_F_V1_4_1 or AP_F_V2_0_0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:03:52.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Casa",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T04:50:31.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-28704",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rakuten Casa",
"version": {
"version_data": [
{
"version_value": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
}
]
},
"vendor_name": "Rakuten Mobile, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://network.mobile.rakuten.co.jp/information/news/product/1033/",
"refsource": "MISC",
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"name": "https://jvn.jp/en/jp/JVN46892984/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-28704",
"datePublished": "2022-06-13T04:50:32.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:03:52.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26834 (GCVE-0-2022-26834)
Vulnerability from nvd – Published: 2022-06-13 04:50 – Updated: 2024-08-03 05:11
VLAI
Summary
Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to obtain the information stored in the product because the product is set to accept HTTP connections from the WAN side by default.
Severity
No CVSS data available.
CWE
- Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://network.mobile.rakuten.co.jp/information/… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN46892984/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Casa |
Affected:
version AP_F_V1_4_1 or AP_F_V2_0_0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Casa",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to obtain the information stored in the product because the product is set to accept HTTP connections from the WAN side by default."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T04:50:27.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-26834",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rakuten Casa",
"version": {
"version_data": [
{
"version_value": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
}
]
},
"vendor_name": "Rakuten Mobile, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to obtain the information stored in the product because the product is set to accept HTTP connections from the WAN side by default."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://network.mobile.rakuten.co.jp/information/news/product/1033/",
"refsource": "MISC",
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"name": "https://jvn.jp/en/jp/JVN46892984/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-26834",
"datePublished": "2022-06-13T04:50:27.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:11:44.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47865 (GCVE-0-2024-47865)
Vulnerability from cvelistv5 – Published: 2024-11-20 07:30 – Updated: 2024-11-20 15:16
VLAI
Summary
Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Turbo 5G |
Affected:
V1.3.18 and earlier
|
|
| rakuten | turbo_5g_firmware |
Affected:
0 , ≤ 1.3.18
(custom)
cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "turbo_5g_firmware",
"vendor": "rakuten",
"versions": [
{
"lessThanOrEqual": "1.3.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:00:21.866202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:16:26.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Turbo 5G",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "V1.3.18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the device."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T07:30:35.780Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://network.mobile.rakuten.co.jp/internet/turbo/information/news/3184/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90667116/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-47865",
"datePublished": "2024-11-20T07:30:35.780Z",
"dateReserved": "2024-11-05T02:54:11.800Z",
"dateUpdated": "2024-11-20T15:16:26.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48895 (GCVE-0-2024-48895)
Vulnerability from cvelistv5 – Published: 2024-11-20 07:30 – Updated: 2024-11-20 15:16
VLAI
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote authenticated attacker may execute an arbitrary OS command.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Turbo 5G |
Affected:
V1.3.18 and earlier
|
|
| rakuten | turbo_5g_firmware |
Affected:
0 , ≤ 1.3.18
(custom)
cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "turbo_5g_firmware",
"vendor": "rakuten",
"versions": [
{
"lessThanOrEqual": "1.3.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:00:28.074293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:16:26.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Turbo 5G",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "V1.3.18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote authenticated attacker may execute an arbitrary OS command."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T07:30:10.357Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://network.mobile.rakuten.co.jp/internet/turbo/information/news/3184/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90667116/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-48895",
"datePublished": "2024-11-20T07:30:10.357Z",
"dateReserved": "2024-11-05T02:54:12.661Z",
"dateUpdated": "2024-11-20T15:16:26.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52033 (GCVE-0-2024-52033)
Vulnerability from cvelistv5 – Published: 2024-11-20 07:29 – Updated: 2024-11-20 15:05
VLAI
Summary
Exposure of sensitive system information to an unauthorized control sphere issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may obtain information of the other devices connected through the Wi-Fi.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-497 - Exposure of sensitive system information to an unauthorized control sphere
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Turbo 5G |
Affected:
V1.3.18 and earlier
|
|
| rakuten | turbo_5g_firmware |
Affected:
0 , ≤ 1.3.18
(custom)
cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:rakuten:turbo_5g_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "turbo_5g_firmware",
"vendor": "rakuten",
"versions": [
{
"lessThanOrEqual": "1.3.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:00:34.400424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:05:53.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Turbo 5G",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "V1.3.18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of sensitive system information to an unauthorized control sphere issue exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may obtain information of the other devices connected through the Wi-Fi."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "Exposure of sensitive system information to an unauthorized control sphere",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T07:29:44.727Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://network.mobile.rakuten.co.jp/internet/turbo/information/news/3184/"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90667116/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-52033",
"datePublished": "2024-11-20T07:29:44.727Z",
"dateReserved": "2024-11-05T02:54:13.731Z",
"dateUpdated": "2024-11-20T15:05:53.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40282 (GCVE-0-2023-40282)
Vulnerability from cvelistv5 – Published: 2023-08-23 03:16 – Updated: 2025-07-01 14:01 Unsupported When Assigned
VLAI
Summary
Improper authentication vulnerability in Rakuten WiFi Pocket all versions allows a network-adjacent attacker to log in to the product's Management Screen. As a result, sensitive information may be obtained and/or the settings may be changed.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper authentication
- CWE-287 - Improper Authentication
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten WiFi Pocket |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://network.mobile.rakuten.co.jp/product/internet/rakuten-wifi-pocket/support/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN55217369/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-40282",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-17T03:09:42.399512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T14:01:12.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rakuten WiFi Pocket",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authentication vulnerability in Rakuten WiFi Pocket all versions allows a network-adjacent attacker to log in to the product\u0027s Management Screen. As a result, sensitive information may be obtained and/or the settings may be changed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T03:16:56.417Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://network.mobile.rakuten.co.jp/product/internet/rakuten-wifi-pocket/support/"
},
{
"url": "https://jvn.jp/en/jp/JVN55217369/"
}
],
"tags": [
"unsupported-when-assigned"
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-40282",
"datePublished": "2023-08-23T03:16:56.417Z",
"dateReserved": "2023-08-14T01:52:11.134Z",
"dateUpdated": "2025-07-01T14:01:12.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29525 (GCVE-0-2022-29525)
Vulnerability from cvelistv5 – Published: 2022-06-13 04:50 – Updated: 2024-08-03 06:26
VLAI
Summary
Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation.
Severity
No CVSS data available.
CWE
- Use of Hard-coded credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://network.mobile.rakuten.co.jp/information/… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN46892984/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Casa |
Affected:
version AP_F_V1_4_1 or AP_F_V2_0_0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Casa",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use of Hard-coded credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T04:50:33.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-29525",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rakuten Casa",
"version": {
"version_data": [
{
"version_value": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
}
]
},
"vendor_name": "Rakuten Mobile, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use of Hard-coded credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://network.mobile.rakuten.co.jp/information/news/product/1033/",
"refsource": "MISC",
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"name": "https://jvn.jp/en/jp/JVN46892984/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-29525",
"datePublished": "2022-06-13T04:50:33.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:26:05.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28704 (GCVE-0-2022-28704)
Vulnerability from cvelistv5 – Published: 2022-06-13 04:50 – Updated: 2024-08-03 06:03
VLAI
Summary
Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings.
Severity
No CVSS data available.
CWE
- Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://network.mobile.rakuten.co.jp/information/… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN46892984/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Casa |
Affected:
version AP_F_V1_4_1 or AP_F_V2_0_0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:03:52.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Casa",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T04:50:31.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-28704",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rakuten Casa",
"version": {
"version_data": [
{
"version_value": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
}
]
},
"vendor_name": "Rakuten Mobile, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to log in with the root privilege and perform an arbitrary operation if the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://network.mobile.rakuten.co.jp/information/news/product/1033/",
"refsource": "MISC",
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"name": "https://jvn.jp/en/jp/JVN46892984/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-28704",
"datePublished": "2022-06-13T04:50:32.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:03:52.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26834 (GCVE-0-2022-26834)
Vulnerability from cvelistv5 – Published: 2022-06-13 04:50 – Updated: 2024-08-03 05:11
VLAI
Summary
Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to obtain the information stored in the product because the product is set to accept HTTP connections from the WAN side by default.
Severity
No CVSS data available.
CWE
- Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://network.mobile.rakuten.co.jp/information/… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN46892984/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rakuten Mobile, Inc. | Rakuten Casa |
Affected:
version AP_F_V1_4_1 or AP_F_V2_0_0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Rakuten Casa",
"vendor": "Rakuten Mobile, Inc.",
"versions": [
{
"status": "affected",
"version": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to obtain the information stored in the product because the product is set to accept HTTP connections from the WAN side by default."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T04:50:27.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-26834",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rakuten Casa",
"version": {
"version_data": [
{
"version_value": "version AP_F_V1_4_1 or AP_F_V2_0_0"
}
]
}
}
]
},
"vendor_name": "Rakuten Mobile, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control vulnerability in Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 allows a remote attacker to obtain the information stored in the product because the product is set to accept HTTP connections from the WAN side by default."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://network.mobile.rakuten.co.jp/information/news/product/1033/",
"refsource": "MISC",
"url": "https://network.mobile.rakuten.co.jp/information/news/product/1033/"
},
{
"name": "https://jvn.jp/en/jp/JVN46892984/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN46892984/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-26834",
"datePublished": "2022-06-13T04:50:27.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:11:44.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2024-012941
Vulnerability from jvndb - Published: 2024-11-19 10:41 - Updated:2024-11-19 10:41
Severity
Summary
Multiple vulnerabilities in Rakuten Turbo 5G
Details
Rakuten Turbo 5G provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below.
* Missing authentication for critical function (CWE-306) - CVE-2024-47865
* OS command injection (CWE-78) - CVE-2024-48895
* Exposure of sensitive system information to an unauthorized control sphere (CWE-497) - CVE-2024-52033
Samy Younsi of NeroTeam Security Labs reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
| Type | URL | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-012941.html",
"dc:date": "2024-11-19T10:41+09:00",
"dcterms:issued": "2024-11-19T10:41+09:00",
"dcterms:modified": "2024-11-19T10:41+09:00",
"description": "Rakuten Turbo 5G provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below.\r\n\r\n* Missing authentication for critical function (CWE-306) - CVE-2024-47865\r\n* OS command injection (CWE-78) - CVE-2024-48895\r\n* Exposure of sensitive system information to an unauthorized control sphere (CWE-497) - CVE-2024-52033\r\n\r\nSamy Younsi of NeroTeam Security Labs reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-012941.html",
"sec:cpe": {
"#text": "cpe:/o:rakuten:rakuten_turbo_5g",
"@product": "Rakuten Turbo 5G",
"@vendor": "Rakuten Mobile, Inc.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "8.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-012941",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU90667116/index.html",
"@id": "JVNVU#90667116",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-47865",
"@id": "CVE-2024-47865",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-48895",
"@id": "CVE-2024-48895",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-52033",
"@id": "CVE-2024-52033",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/306.html",
"@id": "CWE-306",
"@title": "Missing Authentication for Critical Function(CWE-306)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/497.html",
"@id": "CWE-497",
"@title": "Exposure of Sensitive System Information to an Unauthorized Control Sphere(CWE-497)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "Multiple vulnerabilities in Rakuten Turbo 5G"
}
JVNDB-2023-000086
Vulnerability from jvndb - Published: 2023-08-23 12:42 - Updated:2024-03-27 13:43
Severity
Summary
Rakuten WiFi Pocket vulnerable to improper authentication
Details
Rakuten WiFi Pocket provided by Rakuten Mobile, Inc. is a mobile router.
Management Screen of Rakuten WiFi Pocket contains an improper authentication vulnerability (CWE-287).
Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000086.html",
"dc:date": "2024-03-27T13:43+09:00",
"dcterms:issued": "2023-08-23T12:42+09:00",
"dcterms:modified": "2024-03-27T13:43+09:00",
"description": "Rakuten WiFi Pocket provided by Rakuten Mobile, Inc. is a mobile router.\r\nManagement Screen of Rakuten WiFi Pocket contains an improper authentication vulnerability (CWE-287).\r\n\r\nSato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000086.html",
"sec:cpe": {
"#text": "cpe:/o:rakuten:wifi_pocket_firmware",
"@product": "Rakuten WiFi Pocket",
"@vendor": "Rakuten Mobile, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.9",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "3.1",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000086",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN55217369/index.html",
"@id": "JVN#55217369",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-40282",
"@id": "CVE-2023-40282",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-40282",
"@id": "CVE-2023-40282",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-287",
"@title": "Improper Authentication(CWE-287)"
}
],
"title": "Rakuten WiFi Pocket vulnerable to improper authentication"
}
JVNDB-2022-000036
Vulnerability from jvndb - Published: 2022-05-19 15:13 - Updated:2024-06-18 12:09
Severity
Summary
Multiple vulnerabilities in Rakuten Casa
Details
Rakuten Casa provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below.
* Use of Hard-coded Credentials (CWE-798) - CVE-2022-29525
* Improper Access Control (CWE-284) - CVE-2022-28704
* Improper Access Control (CWE-284) - CVE-2022-26834
CVE-2022-29525
Narumi Hirai of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2022-28704
Hiroki Oshiro and Tagawa, Masaki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2022-26834
Tagawa, Masaki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000036.html",
"dc:date": "2024-06-18T12:09+09:00",
"dcterms:issued": "2022-05-19T15:13+09:00",
"dcterms:modified": "2024-06-18T12:09+09:00",
"description": "Rakuten Casa provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below.\r\n* Use of Hard-coded Credentials (CWE-798) - CVE-2022-29525 \r\n* Improper Access Control (CWE-284) - CVE-2022-28704\r\n* Improper Access Control (CWE-284) - CVE-2022-26834\r\n\r\nCVE-2022-29525\r\nNarumi Hirai of LAC Co., Ltd. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2022-28704\r\nHiroki Oshiro and Tagawa, Masaki reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2022-26834\r\nTagawa, Masaki reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000036.html",
"sec:cpe": {
"#text": "cpe:/a:rakuten:casa",
"@product": "Rakuten Casa",
"@vendor": "Rakuten Mobile, Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"@version": "2.0"
},
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000036",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN46892984/index.html",
"@id": "JVN#46892984",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-29525",
"@id": "CVE-2022-29525",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-28704",
"@id": "CVE-2022-28704",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-26834",
"@id": "CVE-2022-26834",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-26834",
"@id": "CVE-2022-26834",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-28704",
"@id": "CVE-2022-28704",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-29525",
"@id": "CVE-2022-29525",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in Rakuten Casa"
}