{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31847", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-03-09T18:20:23.399Z", "datePublished": "2026-03-23T12:07:05.062Z", "dateUpdated": "2026-03-26T10:52:50.115Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-26T10:52:50.115Z"}, "title": "Hidden Functionality Enables Remote Telnet Activation via /goform/setSysTools in Nexxt Nebula 300+", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-912", "description": "CWE-912 Hidden Functionality", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who can invoke the affected functionality can enable a privileged Telnet service remotely, exposing a diagnostic management interface and enabling further compromise of the device."}]}], "affected": [{"vendor": "Nexxt Solutions", "product": "Nebula 300+", "versions": [{"status": "affected", "version": "<= 12.01.01.37", "lessThanOrEqual": "Nebula300+_v12.01.01.37", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Hidden functionality in the <code>/goform/setSysTools</code> endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as <code>telnetManageEn=true</code> and <code>telnetPwd</code>, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system."}]}], "references": [{"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/", "name": "Official product page"}, {"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip", "name": "Firmware download"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Angel Barre (call4pwn)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:16:37.215985Z", "id": "CVE-2026-31847", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:52:16.990Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31847", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T15:16:37.215985Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:16:38.580Z"}}], "cna": {"title": "Hidden Functionality Enables Remote Telnet Activation via /goform/setSysTools in Nexxt Nebula 300+", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Angel Barre (call4pwn)"}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who can invoke the affected functionality can enable a privileged Telnet service remotely, exposing a diagnostic management interface and enabling further compromise of the device."}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Nexxt Solutions", "product": "Nebula 300+", "versions": [{"status": "affected", "version": "<= 12.01.01.37", "versionType": "custom", "lessThanOrEqual": "Nebula300+_v12.01.01.37"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/", "name": "Official product page"}, {"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip", "name": "Firmware download"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system.", "supportingMedia": [{"type": "text/html", "value": "Hidden functionality in the <code>/goform/setSysTools</code> endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as <code>telnetManageEn=true</code> and <code>telnetPwd</code>, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-912", "description": "CWE-912 Hidden Functionality"}]}], "providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-26T10:52:50.115Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31847", "state": "PUBLISHED", "dateUpdated": "2026-03-26T10:52:50.115Z", "dateReserved": "2026-03-09T18:20:23.399Z", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "datePublished": "2026-03-23T12:07:05.062Z", "assignerShortName": "TuranSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:nexxtsolutions:nebula300plus_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D55E0FD8-9ADB-423B-A23F-64F41F9DD40B", "versionEndIncluding": "12.01.01.37", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:nexxtsolutions:nebula300plus:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9AA93D2-E1BA-4EFC-8760-BF366CF6474D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system."}, {"lang": "es", "value": "Funcionalidad oculta en el endpoint /goform/setSysTools en el firmware de Nexxt Solutions Nebula 300+ hasta la versi\u00f3n 12.01.01.37 permite la habilitaci\u00f3n remota de un servicio Telnet. Una vez habilitado, el servicio expone una interfaz de gesti\u00f3n de diagn\u00f3stico privilegiada a trav\u00e9s de la red, aumentando la superficie de ataque y permitiendo un compromiso adicional del dispositivo."}], "id": "CVE-2026-31847", "lastModified": "2026-04-29T17:46:52.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-03-23T13:16:30.320", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "tags": ["Product"], "url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "tags": ["Product"], "url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-912"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,Nebula300+_v12.01.01.37]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Nebula 300+", "source": "cna", "vendor": "Nexxt Solutions"}, "product": "nebula300+", "vendor": "nexxtsolutions"}], "analysis": {"en": {"generated_at": "2026-03-26T12:22:57.539660+00:00", "value": {"mitigation_remediation": ["Upgrade the device to a firmware version that removes the hidden Telnet activation capability.", "If no update is available, block external access to the web interface and the /goform/setSysTools endpoint.", "Disable the Telnet service in the device settings to prevent remote activation.", "Enforce strong, unique credentials for device management and consider implementing multi\u2011factor authentication.", "Monitor system logs for any changes to the Telnet service state and investigate suspicious activity."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "This issue affects Nexxt Solutions Nebula\u00a0300+ devices running firmware versions\u00a012.01.01.37 and earlier. The affected system is the Nebula\u00a0300+ network gateway, which typically serves as a local management point for connectivity infrastructure.", "description_and_impact": "The vulnerability arises from hidden functionality in the /goform/setSysTools endpoint of Nexxt Solutions Nebula 300+ firmware versions up to 12.01.01.37. An authenticated attacker can send a crafted POST request that turns on a Telnet service on port\u00a023, exposing a privileged diagnostic interface that is meant for internal use only. This flaw constitutes a CWE\u2011912 vulnerability and effectively provides remote code execution or privileged command execution capabilities to anyone that can authenticate to the device.", "risk_and_exploitability": "The vulnerability scores as CVSS\u00a08.5, indicating high severity, while the EPSS score is below\u202f1\u202f%, implying current exploit prevalence is low and the vulnerability is not on the CISA Known Exploited Vulnerabilities list. Attackers need valid credentials to reach the endpoint, so the exploit requires prior access or credential compromise, but once authenticated, the attacker can activate Telnet with a simple POST request. The applied risk is elevated when the Nebula device is exposed to untrusted networks, as the enabled Telnet service opens a channel for arbitrary command execution."}}}}, "created": "2026-03-24T10:34:41.819078+00:00", "updated": "2026-03-26T13:55:20.622899+00:00", "vendors": ["nexxtsolutions", "nexxtsolutions$PRODUCT$nebula300+"]}