CVE-2024-50357

EUVD-2024-45180

29.11.2024, 10:15

FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 34%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
centurysys	futurenet_nxr-g110_firmware	21.15.7 ≤ 𝑥 < 21.15.9	ADP
centurysys	futurenet_nxr-g060_firmware	𝑥 < 21.15.6C1	ADP
centurysys	futurenet_nxr-g050_firmware	21.12.5 ≤ 𝑥 < 21.12.11	ADP

Common Weakness Enumeration

CWE-684 - Incorrect Provision of Specified Functionality
The code does not function according to its published specifications, potentially leading to incorrect usage.

References

https://jvn.jp/en/vu/JVNVU95001899/

https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html