CVE-2024-36475

Published: Jul 17, 2024Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug code vulnerability. If a user who knows how to use the debug function logs in to the product, the debug function may be used and an arbitrary OS command may be executed.

Affected (22)

Centurysys

22 products

Futurenet Nxr 1300 Firmware

Futurenet Nxr 155/c Firmware

Futurenet Nxr 610x Firmware

Futurenet Nxr G050 Firmware

Futurenet Nxr G060 Firmware

Futurenet Nxr G100 Firmware

Futurenet Nxr G110 Firmware

Futurenet Nxr G120 Firmware

Futurenet Nxr G200 Firmware

Futurenet Vxr X64

Futurenet Vxr X86

Futurenet Nxr 160/lw Firmware

Futurenet Nxr 230/c Firmware

Futurenet Nxr 350/c Firmware

Futurenet Nxr 530 Firmware

Futurenet Nxr 650 Firmware

Futurenet Nxr G180/l Ca Firmware

Futurenet Nxr 130/c Firmware

Futurenet Nxr 125/cx Firmware

Futurenet Nxr 120/c Firmware

Futurenet Wxr 250 Firmware

Futurenet Nxr 1200 Firmware

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 1300 Firmware	Before 7.4.10
Centurysys Futurenet Nxr 155/c Firmware	All versions
Centurysys Futurenet Nxr 610x Firmware	Before 21.14.11c
Centurysys Futurenet Nxr G050 Firmware	Before 21.12.10
Centurysys Futurenet Nxr G060 Firmware	Before 21.15.6
Centurysys Futurenet Nxr G100 Firmware	Before 6.23.11
Centurysys Futurenet Nxr G110 Firmware	Before 21.7.32
Centurysys Futurenet Nxr G120 Firmware	Before 21.15.2c
Centurysys Futurenet Nxr G200 Firmware	Before 9.12.16
Centurysys Futurenet Vxr X64	Before 21.7.32
Centurysys Futurenet Vxr X86	Before 10.1.5

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 160/lw Firmware	Before 21.8.4

Running on/with	Platform Versions
Centurysys Futurenet Nxr 160/lw	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 230/c Firmware	Before 5.30.13

Running on/with	Platform Versions
Centurysys Futurenet Nxr 230/c	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 350/c Firmware	Before 5.30.9c

Running on/with	Platform Versions
Centurysys Futurenet Nxr 350/c	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 530 Firmware	Before 21.11.14

Running on/with	Platform Versions
Centurysys Futurenet Nxr 530	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 650 Firmware	Before 21.16.2

Running on/with	Platform Versions
Centurysys Futurenet Nxr 650	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr G180/l Ca Firmware	Before 21.7.28c

Running on/with	Platform Versions
Centurysys Futurenet Nxr G180/l Ca	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 130/c Firmware	All versions

Running on/with	Platform Versions
Centurysys Futurenet Nxr 130/c	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 125/cx Firmware	All versions

Running on/with	Platform Versions
Centurysys Futurenet Nxr 125/cx	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 120/c Firmware	All versions

Running on/with	Platform Versions
Centurysys Futurenet Nxr 120/c	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Wxr 250 Firmware	All versions

Running on/with	Platform Versions
Centurysys Futurenet Wxr 250	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Centurysys Futurenet Nxr 1200 Firmware	All versions

Running on/with	Platform Versions
Centurysys Futurenet Nxr 1200	All versions

Related CWEs

CWE-489

Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (6)

https://jvn.jp/en/vu/JVNVU96424864/

Source: vultures@jpcert.or.jp

Third Party Advisory

https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html

Source: vultures@jpcert.or.jp

Vendor Advisory

https://www.centurysys.co.jp/backnumber/nxr_common/20240716-03.html

Source: vultures@jpcert.or.jp

Vendor Advisory

https://jvn.jp/en/vu/JVNVU96424864/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.centurysys.co.jp/backnumber/nxr_common/20240716-03.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.