{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-50357","assignerOrgId":"ede6fdc4-6654-4307-a26d-3331c018e2ce","state":"PUBLISHED","assignerShortName":"jpcert","dateReserved":"2024-10-23T04:47:33.910Z","datePublished":"2024-11-29T09:06:56.251Z","dateUpdated":"2024-12-02T18:15:27.594Z"},"containers":{"cna":{"affected":[{"vendor":"Century Systems Co., Ltd.","product":"FutureNet NXR-G110 series","versions":[{"version":"firmware versions 21.15.7 and later but prior to 21.15.9","status":"affected"}]},{"vendor":"Century Systems Co., Ltd.","product":"FutureNet NXR-G060 series","versions":[{"version":"firmware versions prior to 21.15.6C1","status":"affected"}]},{"vendor":"Century Systems Co., Ltd.","product":"FutureNet NXR-G050 series","versions":[{"version":"firmware versions 21.12.5 and later but prior to 21.12.11","status":"affected"}]}],"descriptions":[{"lang":"en","value":"FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial (factory default) configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server (GUI) or Web authentication is enabled. The factory default configuration makes http-server (GUI) enabled, which means REST-APIs are also enabled. The username and the password for REST-APIs are configured in the factory default configuration. As a result, an attacker may obtain and/or alter the affected product's settings via REST-APIs."}],"problemTypes":[{"descriptions":[{"description":"Incorrect provision of specified functionality","lang":"en-US","cweId":"CWE-684","type":"CWE"}]}],"references":[{"url":"https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html"},{"url":"https://jvn.jp/en/vu/JVNVU95001899/"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en-US","value":"GENERAL"}],"cvssV3_0":{"version":"3.0","baseSeverity":"CRITICAL","baseScore":9.8,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}],"providerMetadata":{"orgId":"ede6fdc4-6654-4307-a26d-3331c018e2ce","shortName":"jpcert","dateUpdated":"2024-11-29T09:06:56.251Z"}},"adp":[{"affected":[{"vendor":"centurysys","product":"futurenet_nxr-g110_firmware","cpes":["cpe:2.3:o:centurysys:futurenet_nxr-g110_firmware:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"21.15.7","status":"affected","lessThan":"21.15.9","versionType":"custom"}]},{"vendor":"centurysys","product":"futurenet_nxr-g060_firmware","cpes":["cpe:2.3:o:centurysys:futurenet_nxr-g060_firmware:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"21.15.6C1","versionType":"custom"}]},{"vendor":"centurysys","product":"futurenet_nxr-g050_firmware","cpes":["cpe:2.3:o:centurysys:futurenet_nxr-g050_firmware:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"21.12.5","status":"affected","lessThan":"21.12.11","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-11-29T13:27:09.092320Z","id":"CVE-2024-50357","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-02T18:15:27.594Z"}}]}}