CVE-2024-50357
📋 TL;DR
FutureNet NXR series routers have REST APIs that become unexpectedly enabled when the device is powered up if either the HTTP server (GUI) or web authentication is enabled. Since the HTTP server is enabled by default, attackers can use default credentials to access REST APIs and modify router settings. This affects all users of FutureNet NXR series routers running vulnerable configurations.
💻 Affected Systems
- FutureNet NXR series routers
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the router, enabling them to reconfigure network settings, intercept traffic, deploy malware, or use the device as a pivot point into internal networks.
Likely Case
Attackers modify router configurations to redirect traffic, change DNS settings, or disable security features, potentially leading to data interception or network disruption.
If Mitigated
With proper access controls and network segmentation, impact is limited to the affected router's configuration, though attackers could still disrupt local network services.
🎯 Exploit Status
Exploitation requires knowledge of default credentials but is straightforward once REST API is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in advisory
Vendor Advisory: https://www.centurysys.co.jp/backnumber/nxr_common/20241031-01.html
Restart Required: Yes
Instructions:
1. Access router web interface. 2. Navigate to configuration settings. 3. Disable REST APIs if not needed. 4. Change default credentials. 5. Restart router to apply changes.
🔧 Temporary Workarounds
Disable HTTP Server
allTurn off the HTTP server (GUI) to prevent REST APIs from being enabled
Configuration via web interface: Navigate to System > HTTP Server > Disable
Change Default Credentials
allImmediately change all default usernames and passwords
Configuration via web interface: Navigate to Administration > Users > Change password
🧯 If You Can't Patch
- Segment affected routers in isolated network zones
- Implement strict firewall rules to block external access to router management interfaces
🔍 How to Verify
Check if Vulnerable:
Check if REST APIs are accessible by attempting to connect to router's REST API endpoints using default credentialsCheck Version:
Check router web interface or console for firmware version informationVerify Fix Applied:
Verify REST APIs are no longer accessible and default credentials no longer work📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to REST API endpoints
- Configuration changes from unexpected sources
Network Indicators:
- Traffic to router REST API ports from unauthorized sources
- Unusual outbound connections from router
SIEM Query:
source_ip=router_ip AND (destination_port=api_port OR event_description="REST API access")