Empty Password in Configuration File in FURUNO SYSTEMS ACERA 9010
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-28744 |
| CWE-ID | CWE-258 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ACERA 9010-08 Hardware solutions / Routers & switches, VoIP, GSM, etc ACERA 9010-24 Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | FURUNO SYSTEMS |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Empty Password in Configuration File
EUVDB-ID: #VU87975
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-28744
CWE-ID:
CWE-258 - Empty password in configuration file
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the password is empty and the remote access service is enabled. A remote attacker on the local network can log in to the product with no password and obtain and/or alter information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsACERA 9010-08: 02.04
ACERA 9010-24: 02.04
External linkshttp://jvn.jp/en/vu/JVNVU99285099/index.html
http://www.furunosystems.co.jp/news/info/vulner20240401.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
