CVE-2024-50357

Nov. 29, 2024, 10:15 a.m.

9.8
Critical

Description

FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs.

Product(s) Impacted

Product Versions
FutureNet NXR series routers by Century Systems Co., Ltd.
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-684
Incorrect Provision of Specified Functionality
The code does not function according to its published specifications, potentially leading to incorrect usage.

References

https://jvn.jp/en/vu/JVNVU95001899/
https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html

Tags

vultures@jpcert.or.jp
CWE-684
2024-11-29
CVE-2024-50357

CVSS Score

9.8 / 10

CVSS Data - 3.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Nov. 29, 2024, 10:15 a.m.
Last Modified: Nov. 29, 2024, 10:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

vultures@jpcert.or.jp

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.