Security Advisory for Vulnerabilities in PLANET UNI-NMS, NMS-500, and NMS-1000V
CVE
Summary
Multiple vulnerabilities have been identified in PLANET UNI-NMS, which is also deployed as the management software in the NMS-500 and NMS-1000V network management systems. These include an OS command injection flaw and the use of hard-coded credentials that allow unauthenticated attackers to gain administrative access and interact with managed devices.
What Are the Risks Associated with This Vulnerability?
- Remote Command Execution: An unauthenticated attacker could exploit a command injection vulnerability to execute arbitrary operating system commands (CVE-2025-46271).
- Privilege Escalation: Hard-coded credentials may allow attackers to gain full administrative control without valid login information (CVE-2025-46273).
- Unauthorized Access to Managed Devices: Using these credentials, an attacker can manipulate or monitor configurations of devices under NMS control (CVE-2025-46274).
Which Versions Are Affected and What Should You Do?
After a comprehensive investigation, we have identified the impacted product versions and released updated firmware to mitigate this vulnerability.
The affected products and available patches are listed in the table below:
How to Get Assistance
If you have any questions or require assistance, please contact PLANET's technical support team or reach out to your PLANET distributor. We are here to provide additional guidance and support.
Acknowledgment
We would like to express our appreciation to These vulnerabilities were reported by Immersive Labs. for reporting this issue.
Revision History
[2025-04-25]: Initial Version
