2021-39245 | Altus Hadron Xtorm HX3040 getlogs.cgi hard-coded credentials
|CVSS Meta Temp Score||Current Exploit Price (≈)||CTI Interest Score|
A vulnerability was found in Altus Nexto NX3003, Nexto NX3004, Nexto NX3005, Nexto NX3010, Nexto NX3020, Nexto NX3030, Nexto NX5100, Nexto NX5101, Nexto NX5110, Nexto NX5210, Nexto Xpress XP300, Nexto Xpress XP315, Nexto Xpress XP325, Nexto Xpress XP340 and Hadron Xtorm HX3040. It has been rated as critical. Affected by this issue is an unknown function of the file getlogs.cgi. The manipulation with an unknown input leads to a weak authentication vulnerability. Using CWE to declare the problem leads to CWE-798. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. This affects Nexto NX3003 22.214.171.124, Nexto NX3004 126.96.36.199, Nexto NX3005 188.8.131.52, Nexto NX3010 184.108.40.206, Nexto NX3020 220.127.116.11, Nexto NX3030 18.104.22.168, Nexto NX5100 22.214.171.124, Nexto NX5101 126.96.36.199, Nexto NX5110 188.8.131.52, Nexto NX5210 184.108.40.206, Nexto Xpress XP300 220.127.116.11, Nexto Xpress XP315 18.104.22.168, Nexto Xpress XP325 22.214.171.124, Nexto Xpress XP340 126.96.36.199, and Hadron Xtorm HX3040 188.8.131.52.
The weakness was released 08/23/2021. The advisory is available at seclists.org. This vulnerability is handled as CVE-2021-39245 since 08/17/2021. The exploitation is known to be easy. The attack needs to approached within the local network. No form of authentication is required for exploitation. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 08/25/2021). This vulnerability is assigned to T1110.001 by the MITRE ATT&CK project.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
VulDB Meta Base Score: 6.3
VulDB Meta Temp Score: 6.1
Status: Not defined
0-Day Time: 🔒
Check our Alexa App!