{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-50357", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2024-10-23T04:47:33.910Z", "datePublished": "2024-11-29T09:06:56.251Z", "dateUpdated": "2024-12-02T18:15:27.594Z"}, "containers": {"cna": {"affected": [{"vendor": "Century Systems Co., Ltd.", "product": "FutureNet NXR-G110 series", "versions": [{"version": "firmware versions 21.15.7 and later but prior to 21.15.9", "status": "affected"}]}, {"vendor": "Century Systems Co., Ltd.", "product": "FutureNet NXR-G060 series", "versions": [{"version": "firmware versions prior to 21.15.6C1", "status": "affected"}]}, {"vendor": "Century Systems Co., Ltd.", "product": "FutureNet NXR-G050 series", "versions": [{"version": "firmware versions 21.12.5 and later but prior to 21.12.11", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs."}], "problemTypes": [{"descriptions": [{"description": "Incorrect provision of specified functionality", "lang": "en-US", "cweId": "CWE-684", "type": "CWE"}]}], "references": [{"url": "https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html"}, {"url": "https://jvn.jp/en/vu/JVNVU95001899/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-11-29T09:06:56.251Z"}}, "adp": [{"affected": [{"vendor": "centurysys", "product": "futurenet_nxr-g110_firmware", "cpes": ["cpe:2.3:o:centurysys:futurenet_nxr-g110_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "21.15.7", "status": "affected", "lessThan": "21.15.9", "versionType": "custom"}]}, {"vendor": "centurysys", "product": "futurenet_nxr-g060_firmware", "cpes": ["cpe:2.3:o:centurysys:futurenet_nxr-g060_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "21.15.6C1", "versionType": "custom"}]}, {"vendor": "centurysys", "product": "futurenet_nxr-g050_firmware", "cpes": ["cpe:2.3:o:centurysys:futurenet_nxr-g050_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "21.12.5", "status": "affected", "lessThan": "21.12.11", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-29T13:27:09.092320Z", "id": "CVE-2024-50357", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-02T18:15:27.594Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-50357", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-29T13:27:09.092320Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:centurysys:futurenet_nxr-g110_firmware:*:*:*:*:*:*:*:*"], "vendor": "centurysys", "product": "futurenet_nxr-g110_firmware", "versions": [{"status": "affected", "version": "21.15.7", "lessThan": "21.15.9", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:centurysys:futurenet_nxr-g060_firmware:*:*:*:*:*:*:*:*"], "vendor": "centurysys", "product": "futurenet_nxr-g060_firmware", "versions": [{"status": "affected", "version": "0", "lessThan": "21.15.6C1", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:centurysys:futurenet_nxr-g050_firmware:*:*:*:*:*:*:*:*"], "vendor": "centurysys", "product": "futurenet_nxr-g050_firmware", "versions": [{"status": "affected", "version": "21.12.5", "lessThan": "21.12.11", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-29T13:32:08.712Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Century Systems Co., Ltd.", "product": "FutureNet NXR-G110 series", "versions": [{"status": "affected", "version": "firmware versions 21.15.7 and later but prior to 21.15.9"}]}, {"vendor": "Century Systems Co., Ltd.", "product": "FutureNet NXR-G060 series", "versions": [{"status": "affected", "version": "firmware versions prior to 21.15.6C1"}]}, {"vendor": "Century Systems Co., Ltd.", "product": "FutureNet NXR-G050 series", "versions": [{"status": "affected", "version": "firmware versions 21.12.5 and later but prior to 21.12.11"}]}], "references": [{"url": "https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html"}, {"url": "https://jvn.jp/en/vu/JVNVU95001899/"}], "descriptions": [{"lang": "en", "value": "FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-684", "description": "Incorrect provision of specified functionality"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-11-29T09:06:56.251Z"}}}, "cveMetadata": {"cveId": "CVE-2024-50357", "state": "PUBLISHED", "dateUpdated": "2024-12-02T18:15:27.594Z", "dateReserved": "2024-10-23T04:47:33.910Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2024-11-29T09:06:56.251Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs."}, {"lang": "es", "value": "Los enrutadores de la serie FutureNet NXR proporcionados por Century Systems Co., Ltd. tienen API REST, que est\u00e1n configuradas como deshabilitadas en la configuraci\u00f3n inicial (predeterminada de f\u00e1brica). Sin embargo, las API REST se habilitan inesperadamente cuando se enciende el producto afectado, siempre que est\u00e9 habilitada la autenticaci\u00f3n web o del servidor http (GUI). La configuraci\u00f3n predeterminada de f\u00e1brica habilita el servidor http (GUI), lo que significa que las API REST tambi\u00e9n est\u00e1n habilitadas. El nombre de usuario y la contrase\u00f1a para las API REST est\u00e1n configurados en la configuraci\u00f3n predeterminada de f\u00e1brica. Como resultado, un atacante puede obtener y/o alterar la configuraci\u00f3n del producto afectado a trav\u00e9s de las API REST."}], "id": "CVE-2024-50357", "lastModified": "2024-11-29T10:15:10.833", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2024-11-29T10:15:10.833", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU95001899/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-684"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}