CVE-2024-36491

FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. allow an administrative user to execute an arbitrary OS command, obtain and/or alter sensitive information, and cause a denial-of-service (DoS) condition.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://jvn.jp/en/vu/JVNVU96424864/	Third Party Advisory
https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html	Vendor Advisory
https://www.centurysys.co.jp/backnumber/nxr_common/20240716-03.html	Vendor Advisory
https://jvn.jp/en/vu/JVNVU96424864/	Third Party Advisory
https://www.centurysys.co.jp/backnumber/nxr_common/20240716-01.html	Vendor Advisory
https://www.centurysys.co.jp/backnumber/nxr_common/20240716-03.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:centurysys:futurenet_nxr-1300_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_nxr-155\/c_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_nxr-610x_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_nxr-g050_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_nxr-g060_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_nxr-g100_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_nxr-g110_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_nxr-g120_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_nxr-g200_firmware::::::::
	cpe:2.3:o:centurysys:futurenet_vxr-x64::::::::
	cpe:2.3:o:centurysys:futurenet_vxr-x86::::::::

Configuration 2 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-160\/lw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_nxr-160\/lw:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-230\/c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_nxr-230\/c:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-350\/c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_nxr-350\/c:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-530_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_nxr-530:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-650_firmware:*:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-g180\/l-ca_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_nxr-g180\/l-ca:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-130\/c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_nxr-130\/c:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-125\/cx_firmware:*:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-120\/c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_nxr-120\/c:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:centurysys:futurenet_wxr-250_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_wxr-250:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:centurysys:futurenet_nxr-1200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:centurysys:futurenet_nxr-1200:-:*:*:*:*:*:*:*

History

01 Apr 2025, 05:15

Type	Values Removed	Values Added
Summary	(en) FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. allow a remote unauthenticated attacker to execute an arbitrary OS command, obtain and/or alter sensitive information, and be able to cause a denial of service (DoS) condition.	(en) FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. allow an administrative user to execute an arbitrary OS command, obtain and/or alter sensitive information, and cause a denial-of-service (DoS) condition.

Information

Published : 2024-07-17 09:15

Updated : 2025-04-01 05:15

NVD link : CVE-2024-36491

Mitre link : CVE-2024-36491

CVE.ORG link : CVE-2024-36491

JSON object : View

Products Affected

centurysys

futurenet_nxr-130\/c_firmware
futurenet_nxr-155\/c_firmware
futurenet_nxr-160\/lw_firmware
futurenet_nxr-530
futurenet_nxr-230\/c_firmware
futurenet_nxr-350\/c
futurenet_nxr-650_firmware
futurenet_nxr-1300_firmware
futurenet_nxr-1200
futurenet_nxr-g100_firmware
futurenet_nxr-1200_firmware
futurenet_nxr-120\/c_firmware
futurenet_wxr-250_firmware
futurenet_nxr-530_firmware
futurenet_nxr-350\/c_firmware
futurenet_nxr-g180\/l-ca_firmware
futurenet_nxr-160\/lw
futurenet_nxr-g180\/l-ca
futurenet_nxr-g120_firmware
futurenet_nxr-125\/cx_firmware
futurenet_wxr-250
futurenet_nxr-230\/c
futurenet_nxr-120\/c
futurenet_vxr-x64
futurenet_nxr-g200_firmware
futurenet_nxr-g110_firmware
futurenet_nxr-g060_firmware
futurenet_nxr-g050_firmware
futurenet_vxr-x86
futurenet_nxr-130\/c
futurenet_nxr-610x_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

9.8 /10