Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Multiple Vulnerabilities in Alcatel-Lucent OmniAccess Stellar Products

16 July 2025

Alcatel-Lucent has released security updates addressing multiple vulnerabilities in their OmniAccess Stellar products. Users and administrators of affected products are advised to update to the latest version immediately.

Background

Alcatel-Lucent has released security updates addressing multiple vulnerabilities (CVE-2025-52687, CVE-2025-52688, CVE-2025-52689 and CVE-2025-52690) in their OmniAccess Stellar products.

Impact

CVE-2025-52687: Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS).

CVE-2025-52688: Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

CVE-2025-52689: Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

CVE-2025-52690: Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point.

Affected Products

The vulnerabilities affect the following Alcatel-Lucent OmniAccess Stellar products:

  • AP1100 AWOS versions 5.0.2 GA and earlier

  • AP1200 AWOS versions 5.0.2 GA and earlier

  • AP1300 AWOS versions 5.0.2 GA and earlier

  • AP1400 AWOS versions 5.0.2 GA and earlier

  • AP1500 AWOS versions 5.0.2 GA and earlier

Mitigation

Users and administrators of affected products are advised to contact their Business Partner immediately to update to the latest version.

Credits

CSA would like to express appreciation to the following researchers for discovering the vulnerabilities:

CVE-2025-52687: Jay Turla, Japz Divino, Jerold Camacho

CVE-2025-52688: Joel Chang Zhi Kai, Liu Yisen, Cao Wei, Lam Jun Rong, River Koh, Yeo Jun Yi Keith, Hyunseok Yun

CVE-2025-52689: Lam Jun Rong, Cao Yitian

CVE-2025-52690: Lam Jun Rong

Additionally, CSA would like to thank Alcatel for their collaboration on the coordinated disclosure of these vulnerabilities.

References

https://www.al-enterprise.com/-/media/assets/internet/documents/sa-n0150-omniaccess-stellar-multiple-vulnerabilities.pdf

https://jro.sg/CVEs/CVE-2025-52688/ 

https://jro.sg/CVEs/CVE-2025-52690/ 

https://blog.uhg.sg/article/24.html


Back to top