CVE-2024-50357

Summary

FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs.

Affected Software

VendorProductVersion RangeStatus
Century Systems Co., Ltd.FutureNet NXR-G110 seriesfirmware versions 21.15.7 and later but prior to 21.15.9affected
Century Systems Co., Ltd.FutureNet NXR-G060 seriesfirmware versions prior to 21.15.6C1affected
Century Systems Co., Ltd.FutureNet NXR-G050 seriesfirmware versions 21.12.5 and later but prior to 21.12.11affected

Weaknesses

  • CWE-684: Incorrect provision of specified functionality

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References