CVE-2024-50357

Published: Nov 29, 2024

Modified: Dec 2, 2024

PUBLISHED

CVSS v3.0

9.8

CRITICAL

Description

FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs.

Vendor	Product	Versions
Century Systems Co., Ltd.	FutureNet NXR-G110 series	affected `firmware versions 21.15.7 and later but prior to 21.15.9`
Century Systems Co., Ltd.	FutureNet NXR-G060 series	affected `firmware versions prior to 21.15.6C1`
Century Systems Co., Ltd.	FutureNet NXR-G050 series	affected `firmware versions 21.12.5 and later but prior to 21.12.11`

Weaknesses (CWE)

CWE-684

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html

https://jvn.jp/en/vu/JVNVU95001899/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-50357

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References