CRITICAL🇵🇱 Wersja polska

CVE-2024-50357

CVSS 9.8v3.0pub. 2024-11-29upd. 2026-04-15

FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs.

🤖 AI Analysis
How it works

In the factory configuration, REST-API is marked as disabled, however after the device is started with an active HTTP server (GUI) or Web authentication function, REST-API is unexpectedly enabled. The factory configuration by default launches the HTTP server, which causes the described problem to affect virtually every device with standard settings. The REST-API authentication credentials (username and password) are pre-configured in the factory settings and are therefore identical for all devices supplied by the manufacturer. An attacker can remotely, without any authentication (using default credentials), send requests to the REST-API over the network.

Impact

An attacker can remotely read and modify the device configuration via REST-API, which may result in taking full control of the router, changing network settings, redirecting traffic, or permanent loss of device integrity.

Mitigation & patch

Apply patches available from the manufacturer in accordance with the references (https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html). Until the update is applied, it is recommended to disable the HTTP server (GUI) and Web authentication functions if not required, and to restrict access to the device management interface at the firewall level or through network segmentation.

Who is affected

FutureNet NXR series routers from Century Systems Co., Ltd.; specific firmware versions and models indicated in the manufacturer's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References