A recent security advisory from JPCERT/CC has highlighted multiple vulnerabilities in Inaba Denki Sangyo Co., Ltd.βs Wi-Fi AP UNIT βAC-WPS-11ac seriesβ. These vulnerabilities affect several models within the series, posing a risk to the security and integrity of networks using these devices.
According to the advisory, eight distinct vulnerabilities affect several models within the AC-WPS-11ac family, including the AC-WPS-11ac, AC-WPSM-11ac, and AC-PD-WPS-11ac linesβall running firmware version v2.0.03P or earlier. Notably, two of the most severe flaws allow for remote command execution:
CVE-2025-25053 and CVE-2025-27797 are both command injection vulnerabilities, scoring 8.8 and 9.8 respectively on the CVSS v3.1 scale. JPCERT/CC warns that, βAn arbitrary OS command may be executed by a remote attacker who can log in to the product.βThese flaws essentially grant attackers the ability to execute commands on the underlying operating system, possibly leading to full device compromise.
Another serious issue is CVE-2025-29870, which was rated 7.5 and involves missing authentication for critical functions. This could allow an unauthenticated attacker to gain unauthorized access to configuration data, including sensitive credentials. βA remote unauthenticated attacker may obtain the product configuration information including authentication information,β the report states.
While some vulnerabilities are less severe, their exploitation in concert could facilitate lateral movement or privilege escalation:
CVE-2025-23407 (CVSS 4.3) β Incorrect privilege assignment in the web UICVE-2025-25056 (CVSS 4.3) β Cross-site request forgery (CSRF)CVE-2025-25213 (CVSS 6.5) β Improper frame/UI layer restrictionsCVE-2025-27722 (CVSS 5.9) β Cleartext transmission of sensitive informationCVE-2025-27934 (CVSS 7.5) β Authentication information disclosure in a specific serviceThe CSRF and UI rendering vulnerabilities open the door for social engineering attacks, particularly when users are logged into the deviceβs admin panel and inadvertently trigger malicious requests by viewing compromised web pages.
JPCERT/CC strongly advises administrators to update to firmware version v2.0.06.13P, which addresses all identified vulnerabilities. Affected models include:
AC-WPS-11ac / -PAC-WPSM-11ac / -PAC-PD-WPS-11ac / -PAdditionally, Inaba Denki Sangyo recommends applying supplementary workarounds to reinforce device security.
While these devices may be used primarily in specialized industrial or enterprise contexts, the implications of these vulnerabilities are broadβespecially considering the risk of unauthorized network access and sensitive data leakage. Organizations utilizing the AC-WPS-11ac series should immediately update firmware and audit device configurations to mitigate potential exposure.