PT-2021-22490 · Nexto+1 · Nexto Xpress Xp340+14

D. Teuchert

Published

2021-08-23

Updated

2021-08-26

CVE-2021-39245

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nexto NX3003 version 1.8.11.0 Nexto NX3004 version 1.8.11.0 Nexto NX3005 version 1.8.11.0 Nexto NX3010 version 1.8.3.0 Nexto NX3020 version 1.8.3.0 Nexto NX3030 version 1.8.3.0 Nexto NX5100 version 1.8.11.0 Nexto NX5101 version 1.8.11.0 Nexto NX5110 version 1.1.2.8 Nexto NX5210 version 1.1.2.8 Nexto Xpress XP300 version 1.8.11.0 Nexto Xpress XP315 version 1.8.11.0 Nexto Xpress XP325 version 1.8.11.0 Nexto Xpress XP340 version 1.8.11.0 Hadron Xtorm HX3040 version 1.7.58.0

Description Hardcoded .htaccess credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2021-39245

Affected Products

Hadron Xtorm Hx3040

Nexto Nx3003

Nexto Nx3004

Nexto Nx3005

Nexto Nx3010

Nexto Nx3020

Nexto Nx3030

Nexto Nx5100

Nexto Nx5101

Nexto Nx5110

Nexto Nx5210

Nexto Xpress Xp300

Nexto Xpress Xp315

Nexto Xpress Xp325

Nexto Xpress Xp340

PT-2021-22490 · Nexto+1 · Nexto Xpress Xp340+14

CVE-2021-39245

Weakness Enumeration

Related Identifiers

Affected Products

References · 5