Home

Description

Missing authentication in the /goform/ate endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows an adjacent unauthenticated attacker to retrieve sensitive device information, including the administrator password. The endpoint returns a raw response containing parameters such as Login_PW, which is Base64-encoded. An attacker can decode this value to obtain valid administrative credentials and authenticate to the device.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-23 | Updated 2026-03-26 | Assigner TuranSec




HIGH: 7.1CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 6.5CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.1AV:A/AC:L/Au:N/C:C/I:N/A:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
affected

<= 12.01.01.37
affected

Credits

Angel Barre (call4pwn) finder

References

www.nexxtsolutions.com/...vity/internal-products/ARN02304U6/ product

nexxt-connectivity-frontend.s3.amazonaws.com/...01.01.37.zip product

cve.org (CVE-2026-31846)

nvd.nist.gov (CVE-2026-31846)

Download JSON