CVE-2024-36491
📋 TL;DR
This vulnerability allows administrative users on FutureNet NXR, VXR, and WXR series devices from Century Systems to execute arbitrary operating system commands, potentially leading to full system compromise. It affects organizations using these network devices, enabling attackers with admin access to run malicious commands, access sensitive data, or cause denial-of-service conditions.
💻 Affected Systems
- FutureNet NXR series
- FutureNet VXR series
- FutureNet WXR series
📦 What is this software?
Futurenet Nxr 125\/cx Firmware by Centurysys
Futurenet Nxr 160\/lw Firmware by Centurysys
Futurenet Nxr G180\/l Ca Firmware by Centurysys
Futurenet Vxr X64 by Centurysys
Futurenet Vxr X86 by Centurysys
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with complete administrative control, data exfiltration, persistent backdoor installation, and permanent device damage requiring hardware replacement.
Likely Case
Unauthorized administrative access leading to command execution, configuration changes, service disruption, and potential lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are implemented, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires administrative credentials but is straightforward once access is obtained. The CWE-78 (OS Command Injection) nature suggests simple command injection techniques would work.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches released July 16, 2024
Vendor Advisory: https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html
Restart Required: Yes
Instructions:
1. Download the latest firmware from Century Systems website. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart device. 5. Verify patch installation and restore configuration if needed.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit administrative access to only trusted IP addresses and users, implement strong authentication, and monitor admin activity.
Network Segmentation
allIsolate affected devices in separate network segments with strict firewall rules to limit potential lateral movement.
🧯 If You Can't Patch
- Implement strict network access controls to limit device exposure
- Enable comprehensive logging and monitoring for suspicious administrative activities
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against patched versions listed in vendor advisories. Review administrative access logs for unusual command execution patterns.Check Version:
Check device web interface or CLI for firmware version information (vendor-specific commands vary by device model).Verify Fix Applied:
Verify firmware version matches patched versions from July 2024 or later. Test administrative functions to ensure command injection is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login patterns
- Suspicious command execution in admin logs
- Multiple failed authentication attempts followed by successful admin access
Network Indicators:
- Unexpected outbound connections from devices
- Unusual traffic patterns to/from administrative interfaces
SIEM Query:
source="device_logs" AND (event_type="admin_command" AND command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*)")🔗 References
- https://jvn.jp/en/vu/JVNVU96424864/
- https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html
- https://www.centurysys.co.jp/backnumber/nxr_common/20240716-03.html
- https://jvn.jp/en/vu/JVNVU96424864/
- https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html
- https://www.centurysys.co.jp/backnumber/nxr_common/20240716-03.html
