Description
FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Century Systems Co., Ltd. / FutureNet NXR-G050 seriesfirmware versions 21.12.5 and later but prior to 21.12.11 – firmware versions 21.12.5 and later but prior to 21.12.11
- Century Systems Co., Ltd. / FutureNet NXR-G060 seriesfirmware versions prior to 21.15.6C1 – firmware versions prior to 21.15.6C1
- Century Systems Co., Ltd. / FutureNet NXR-G110 seriesfirmware versions 21.15.7 and later but prior to 21.15.9 – firmware versions 21.15.7 and later but prior to 21.15.9