Cyber Resilience

CVE-2024-36475

HighRCE

Published: 17 July 2024

Published
17 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 66.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36475 is a high-severity OS Command Injection (CWE-78) vulnerability in Centurysys Futurenet Nxr-1300 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 33.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug code vulnerability. If a user who knows how to use the debug function logs in to the product, the debug function may…

more

be used and an arbitrary OS command may be executed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

centurysys
futurenet nxr-1300 firmware
≤ 7.4.10
centurysys
futurenet nxr-155\/c firmware
all versions
centurysys
futurenet nxr-610x firmware
≤ 21.14.11c
centurysys
futurenet nxr-g050 firmware
≤ 21.12.10
centurysys
futurenet nxr-g060 firmware
≤ 21.15.6
centurysys
futurenet nxr-g100 firmware
≤ 6.23.11
centurysys
futurenet nxr-g110 firmware
≤ 21.7.32
centurysys
futurenet nxr-g120 firmware
≤ 21.15.2c
centurysys
futurenet nxr-g200 firmware
≤ 9.12.16
centurysys
futurenet vxr-x64
≤ 21.7.32
+12 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-489

Minimal functionality precludes inclusion of active debug code or diagnostic interfaces.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References