D. Teuchert

**Name of the Vulnerable Software and Affected Versions** Nexto NX3003 version 1.8.11.0 Nexto NX3004 version 1.8.11.0 Nexto NX3005 version 1.8.11.0 Nexto NX3010 version 1.8.3.0 Nexto NX3020 version 1.8.3.0 Nexto NX3030 version 1.8.3.0 Nexto NX5100 version 1.8.11.0 Nexto NX5101 version 1.8.11.0 Nexto NX5110 version 1.1.2.8 Nexto NX5210 version 1.1.2.8 Nexto Xpress XP300 version 1.8.11.0 Nexto Xpress XP315 version 1.8.11.0 Nexto Xpress XP325 version 1.8.11.0 Nexto Xpress XP340 version 1.8.11.0 Hadron Xtorm HX3040 version 1.7.58.0 **Description** Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint. **Recommendations** As a temporary workaround, consider disabling access to any CGI endpoint until a patch is available. Restrict access to the affected devices to minimize the risk of exploitation. Avoid using the affected devices until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nexto NX3003 version 1.8.11.0 Nexto NX3004 version 1.8.11.0 Nexto NX3005 version 1.8.11.0 Nexto NX3010 version 1.8.3.0 Nexto NX3020 version 1.8.3.0 Nexto NX3030 version 1.8.3.0 Nexto NX5100 version 1.8.11.0 Nexto NX5101 version 1.8.11.0 Nexto NX5110 version 1.1.2.8 Nexto NX5210 version 1.1.2.8 Nexto Xpress XP300 version 1.8.11.0 Nexto Xpress XP315 version 1.8.11.0 Nexto Xpress XP325 version 1.8.11.0 Nexto Xpress XP340 version 1.8.11.0 Hadron Xtorm HX3040 version 1.7.58.0 **Description** Authenticated Semi-Blind Command Injection exists via the getlogs.cgi tcpdump feature on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. **Recommendations** For Nexto NX3003 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX3004 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX3005 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX3010 version 1.8.3.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX3020 version 1.8.3.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX3030 version 1.8.3.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX5100 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX5101 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX5110 version 1.1.2.8, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto NX5210 version 1.1.2.8, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto Xpress XP300 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto Xpress XP315 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto Xpress XP325 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Nexto Xpress XP340 version 1.8.11.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available. For Hadron Xtorm HX3040 version 1.7.58.0, consider disabling the getlogs.cgi tcpdump feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Nexto NX3003 version 1.8.11.0 Nexto NX3004 version 1.8.11.0 Nexto NX3005 version 1.8.11.0 Nexto NX3010 version 1.8.3.0 Nexto NX3020 version 1.8.3.0 Nexto NX3030 version 1.8.3.0 Nexto NX5100 version 1.8.11.0 Nexto NX5101 version 1.8.11.0 Nexto NX5110 version 1.1.2.8 Nexto NX5210 version 1.1.2.8 Nexto Xpress XP300 version 1.8.11.0 Nexto Xpress XP315 version 1.8.11.0 Nexto Xpress XP325 version 1.8.11.0 Nexto Xpress XP340 version 1.8.11.0 Hadron Xtorm HX3040 version 1.7.58.0 **Description** Hardcoded .htaccess credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.