Routers' REST-APIs Unintentionally Enabled, RiskingConfiguration Modification
CVE-2024-50357

9.8CRITICAL

Key Information:

Vendor: Century Systems Co., Ltd.
Status: Futurenet Nxr-g110 Series; Futurenet Nxr-g060 Series; Futurenet Nxr-g050 Series
Vendor: CVE Published:; 29 November 2024

🔔 Create Century Systems Co., Ltd. Vulnerability Alert

What is CVE-2024-50357?

FutureNet NXR series routers from Century Systems Co., Ltd. have been identified with a security configuration issue regarding their REST-APIs. Although these APIs are intended to be disabled in the factory default settings, they can become enabled when the router is powered on, provided that either the http-server (GUI) or Web authentication features are activated. This unintentionally opens up avenues for threat actors to exploit the REST-APIs, gain unauthorized access, and potentially modify sensitive settings of the affected device. Default credentials for these APIs are set within the factory configuration, amplifying the risk of unauthorized actions if the configuration is not altered post-installation.

Affected Version(s)

FutureNet NXR-G050 series firmware versions 21.12.5 and later but prior to 21.12.11

FutureNet NXR-G060 series firmware versions prior to 21.15.6C1

FutureNet NXR-G110 series firmware versions 21.15.7 and later but prior to 21.15.9

References

https://www.centurysys.co.jp/backnumber/nxr_common/202410...

https://jvn.jp/en/vu/JVNVU95001899/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2024
Vulnerability Reserved
Oct 23, 2024