CVE-2024-36475
17.07.2024, 09:15
FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug code vulnerability. If a user who knows how to use the debug function logs in to the product, the debug function may be used and an arbitrary OS command may be executed.
| Vendor | Product | Version |
|---|---|---|
| centurysys | futurenet_nxr-1300_firmware | 𝑥 < 7.4.10 |
| centurysys | futurenet_nxr-155\/c_firmware | * |
| centurysys | futurenet_nxr-610x_firmware | 𝑥 < 21.14.11c |
| centurysys | futurenet_nxr-g050_firmware | 𝑥 < 21.12.10 |
| centurysys | futurenet_nxr-g060_firmware | 𝑥 < 21.15.6 |
| centurysys | futurenet_nxr-g100_firmware | 𝑥 < 6.23.11 |
| centurysys | futurenet_nxr-g110_firmware | 𝑥 < 21.7.32 |
| centurysys | futurenet_nxr-g120_firmware | 𝑥 < 21.15.2c |
| centurysys | futurenet_nxr-g200_firmware | 𝑥 < 9.12.16 |
| centurysys | futurenet_vxr-x64 | 𝑥 < 21.7.32 |
| centurysys | futurenet_vxr-x86 | 𝑥 < 10.1.5 |
| centurysys | futurenet_nxr-160\/lw_firmware | 𝑥 < 21.8.4 |
| centurysys | futurenet_nxr-230\/c_firmware | 𝑥 < 5.30.13 |
| centurysys | futurenet_nxr-350\/c_firmware | 𝑥 < 5.30.9c |
| centurysys | futurenet_nxr-530_firmware | 𝑥 < 21.11.14 |
| centurysys | futurenet_nxr-650_firmware | 𝑥 < 21.16.2 |
| centurysys | futurenet_nxr-g180\/l-ca_firmware | 𝑥 < 21.7.28c |
| centurysys | futurenet_nxr-130\/c_firmware | * |
| centurysys | futurenet_nxr-125\/cx_firmware | * |
| centurysys | futurenet_nxr-120\/c_firmware | * |
| centurysys | futurenet_wxr-250_firmware | * |
| centurysys | futurenet_nxr-1200_firmware | * |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- CWE-489 - Active Debug CodeThe application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
References