FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. allow an administrative user to execute an arbitrary OS command, obtain and/or alter sensitive information, and cause a denial-of-service (DoS) condition.
The vulnerability (CWE-78) consists of a lack of proper validation or neutralization of input data passed to system calls in the device's administrative interface. A logged-in user with administrative privileges can construct appropriately crafted input data that will be interpreted as operating system commands and executed in the context of the device. The network vector (AV:N) means the attack can be conducted remotely over the network.
An attacker can execute arbitrary OS commands on the device, obtain or modify sensitive configuration information, and cause a denial of service (DoS) state, leading to unavailability of the network device.
Patches available from the manufacturer should be applied in accordance with the references (https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html and https://www.centurysys.co.jp/backnumber/nxr_common/20240716-03.html). Additionally, it is recommended to restrict access to the administrative interface only to trusted IP addresses and to avoid exposing the administration panel directly to the internet.
FutureNet NXR-1300, NXR-155/C, NXR-610X, NXR-G050, NXR-G060 devices and other NXR, VXR, and WXR series devices from Century Systems Co., Ltd. — exact firmware versions indicated in the manufacturer's references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCenturysys Futurenet Nxr 1200
HWCenturysyswszystkie wersjeCenturysys Futurenet Nxr 1200 Firmware
OSCenturysyswszystkie wersjeCenturysys Futurenet Nxr 120\/c
HWCenturysyswszystkie wersjeCenturysys Futurenet Nxr 120\/c Firmware
OSCenturysyswszystkie wersjeCenturysys Futurenet Nxr 125\/cx Firmware
OSCenturysyswszystkie wersjeCenturysys Futurenet Nxr 1300 Firmware
OSCenturysys< 7.4.10Centurysys Futurenet Nxr 130\/c
HWCenturysyswszystkie wersjeCenturysys Futurenet Nxr 130\/c Firmware
OSCenturysyswszystkie wersjeCenturysys Futurenet Nxr 155\/c Firmware
OSCenturysyswszystkie wersjeCenturysys Futurenet Nxr 160\/lw
HWCenturysyswszystkie wersjeCenturysys Futurenet Nxr 160\/lw Firmware
OSCenturysys< 21.8.4Centurysys Futurenet Nxr 230\/c
HWCenturysyswszystkie wersjeCenturysys Futurenet Nxr 230\/c Firmware
OSCenturysys< 5.30.13Centurysys Futurenet Nxr 350\/c
HWCenturysyswszystkie wersjeCenturysys Futurenet Nxr 350\/c Firmware
OSCenturysys< 5.30.9cCenturysys Futurenet Nxr 530
HWCenturysyswszystkie wersjeCenturysys Futurenet Nxr 530 Firmware
OSCenturysys< 21.11.14Centurysys Futurenet Nxr 610x Firmware
OSCenturysys< 21.14.11cCenturysys Futurenet Nxr 650 Firmware
OSCenturysys< 21.16.2Centurysys Futurenet Nxr G050 Firmware
OSCenturysys< 21.12.10Centurysys Futurenet Nxr G060 Firmware
OSCenturysys< 21.15.6Centurysys Futurenet Nxr G100 Firmware
OSCenturysys< 6.23.11Centurysys Futurenet Nxr G110 Firmware
OSCenturysys< 21.7.32Centurysys Futurenet Nxr G120 Firmware
OSCenturysys< 21.15.2cCenturysys Futurenet Nxr G180\/l Ca
HWCenturysyswszystkie wersjeCenturysys Futurenet Nxr G180\/l Ca Firmware
OSCenturysys< 21.7.28cCenturysys Futurenet Nxr G200 Firmware
OSCenturysys< 9.12.16Centurysys Futurenet Vxr X64
OSCenturysys< 21.7.32Centurysys Futurenet Vxr X86
OSCenturysys< 10.1.5Centurysys Futurenet Wxr 250
HWCenturysyswszystkie wersje
Related vulnerabilities
Auth Bypass w FutureNet NXR/VXR/WXR — nieograniczony dostęp do usługi Telnet
FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug ...
Cross-site request forgery (CSRF) vulnerability in multiple Century Systems routers including XR-410 before 1....