CVE-2024-50357 Overview
CVE-2024-50357 is a critical insecure default configuration vulnerability affecting FutureNet NXR series routers manufactured by Century Systems Co., Ltd. The vulnerability stems from REST-APIs being unexpectedly enabled when devices power up, despite being configured as disabled in the factory default settings. This occurs when either the http-server (GUI) or Web authentication is enabled—and notably, the http-server is enabled by default.
Compounding the issue, the factory default configuration includes preconfigured username and password credentials for REST-API access. This combination allows unauthenticated remote attackers to obtain and alter device settings through the REST-APIs using these default credentials.
Critical Impact
Remote attackers can leverage default credentials to access REST-APIs and completely compromise router configurations, potentially leading to network takeover, traffic interception, or denial of service.
Affected Products
- FutureNet NXR series routers (Century Systems Co., Ltd.)
- Devices with http-server (GUI) enabled (factory default)
- Devices with Web authentication enabled
Discovery Timeline
- 2024-11-29 - CVE CVE-2024-50357 published to NVD
- 2024-11-29 - Last updated in NVD database
Technical Details for CVE-2024-50357
Vulnerability Analysis
This vulnerability represents an insecure default configuration issue (CWE-684: Incorrect Provision of Specified Functionality) where the actual runtime behavior contradicts the documented configuration state. The FutureNet NXR series routers are shipped with REST-APIs ostensibly disabled in the factory default configuration. However, a logic flaw in the initialization process causes these APIs to become active whenever the http-server (GUI) or Web authentication features are enabled.
Since the http-server GUI is enabled by default for administrative convenience, virtually all out-of-the-box deployments expose the REST-APIs. The factory default configuration also includes static credentials for REST-API authentication, meaning attackers with network access can immediately authenticate and interact with the full REST-API surface.
The exploitation impact is severe: attackers can read sensitive configuration data including network topology information, routing tables, and potentially stored credentials. They can also modify device configurations to establish persistence, redirect traffic, create backdoor access, or disable security controls entirely.
Root Cause
The root cause is a design flaw in the configuration management logic where enabling related services (http-server or Web authentication) implicitly activates REST-APIs regardless of their explicit configuration setting. This violates the principle of explicit configuration where each service should be independently controllable. The additional presence of hardcoded default credentials in the factory configuration creates a direct exploitation path.
Attack Vector
The attack vector is network-based, requiring no authentication, no user interaction, and low complexity to exploit. An attacker simply needs network reachability to the router's management interface.
The attack proceeds as follows:
- The attacker identifies a FutureNet NXR series router on the network, typically by scanning for HTTP services or identifying the device through banner information
- The attacker attempts to access REST-API endpoints on the device
- Using the factory default credentials (which are publicly documented or easily obtainable), the attacker authenticates to the REST-API
- Once authenticated, the attacker can enumerate device configuration, extract sensitive data, or modify settings to compromise the network infrastructure
No exploit code is available in public repositories; however, the attack methodology requires only standard HTTP tools such as curl or REST client applications to interact with the exposed APIs using default credentials.
Detection Methods for CVE-2024-50357
Indicators of Compromise
- Unexpected REST-API requests to FutureNet NXR router management interfaces
- Authentication attempts using default or factory credentials against router REST-APIs
- Configuration changes on NXR routers not initiated by authorized administrators
- Unusual outbound connections or routing modifications on affected devices
Detection Strategies
- Monitor network traffic for HTTP/HTTPS connections to router management ports from unauthorized sources
- Implement network segmentation monitoring to detect management interface access from non-administrative networks
- Deploy intrusion detection rules to identify REST-API enumeration patterns against Century Systems devices
- Enable and centralize logging on all NXR series routers to track API access and configuration changes
Monitoring Recommendations
- Establish baseline REST-API usage patterns and alert on anomalies
- Configure alerts for any configuration changes on affected routers
- Monitor for new user accounts or credential modifications via REST-API calls
- Implement regular configuration audits comparing running configurations against approved baselines
How to Mitigate CVE-2024-50357
Immediate Actions Required
- Change all default REST-API credentials immediately on all FutureNet NXR series routers
- Restrict management interface access to trusted administrative networks only using firewall rules or ACLs
- Audit current configurations to identify any unauthorized modifications
- Disable http-server (GUI) if not required for operations, which will prevent REST-APIs from being enabled
Patch Information
Century Systems Co., Ltd. has released information regarding this vulnerability. Administrators should consult the CenturySys Security Bulletin for official patch availability and firmware update instructions. Additional technical details are available in the JVN Security Vulnerability Report.
Apply the latest firmware updates as soon as they become available from the vendor.
Workarounds
- Disable the http-server (GUI) feature if administrative access can be performed via alternative methods such as CLI/SSH
- If http-server must remain enabled, ensure REST-API credentials are changed from factory defaults to strong, unique passwords
- Implement network segmentation to isolate router management interfaces from general network access
- Deploy a firewall or access control list restricting management interface access to specific administrator IP addresses
# Configuration example - Restrict management access (adapt to your network)
# Ensure management interfaces are only accessible from trusted admin networks
# Example ACL concept (consult Century Systems documentation for exact syntax):
# access-list management permit ip 10.0.1.0/24 any
# access-list management deny ip any any
# Apply to management interface
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
