CVE-2026-31849 (GCVE-0-2026-31849)
Vulnerability from cvelistv5
Published
2026-03-23 12:16
Modified
2026-03-26 10:45
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator’s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.
References
Impacted products
Vendor Product Version
Nexxt Solutions Nebula 300+ Version: <= 12.01.01.37
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31849",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T15:17:48.215554Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T15:51:53.375Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Nebula 300+",
          "vendor": "Nexxt Solutions",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 12.01.01.37"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Angel Barre (call4pwn)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as \u003ccode\u003e/goform/setSysTools\u003c/code\u003e and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator\u2019s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings."
            }
          ],
          "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator\u2019s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "A remote attacker can cause an authenticated administrator\u0027s browser to send forged state-changing requests, resulting in unauthorized configuration changes."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T10:45:40.996Z",
        "orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
        "shortName": "TuranSec"
      },
      "references": [
        {
          "name": "Official product page",
          "url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"
        },
        {
          "name": "Firmware download",
          "url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Missing CSRF Protection on Administrative Endpoints in Nexxt Nebula 300+",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
    "assignerShortName": "TuranSec",
    "cveId": "CVE-2026-31849",
    "datePublished": "2026-03-23T12:16:59.624Z",
    "dateReserved": "2026-03-09T18:20:23.399Z",
    "dateUpdated": "2026-03-26T10:45:40.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-31849\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T15:17:48.215554Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T15:17:49.181Z\"}}], \"cna\": {\"title\": \"Missing CSRF Protection on Administrative Endpoints in Nexxt Nebula 300+\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Angel Barre (call4pwn)\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"A remote attacker can cause an authenticated administrator\u0027s browser to send forged state-changing requests, resulting in unauthorized configuration changes.\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Nexxt Solutions\", \"product\": \"Nebula 300+\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 12.01.01.37\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/\", \"name\": \"Official product page\"}, {\"url\": \"https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip\", \"name\": \"Firmware download\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator\\u2019s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as \u003ccode\u003e/goform/setSysTools\u003c/code\u003e and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator\\u2019s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352 Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c\", \"shortName\": \"TuranSec\", \"dateUpdated\": \"2026-03-26T10:45:40.996Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-31849\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T10:45:40.996Z\", \"dateReserved\": \"2026-03-09T18:20:23.399Z\", \"assignerOrgId\": \"309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c\", \"datePublished\": \"2026-03-23T12:16:59.624Z\", \"assignerShortName\": \"TuranSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.