{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31848", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-03-09T18:20:23.399Z", "datePublished": "2026-03-23T12:09:30.338Z", "dateUpdated": "2026-03-26T10:45:19.121Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-26T10:45:19.121Z"}, "title": "Reversible ecos_pw Cookie Allows Authentication Bypass in Nexxt Nebula 300+", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who obtains or reconstructs the ecos_pw cookie value can authenticate as an administrator and gain unauthorized access to the device."}]}], "affected": [{"vendor": "Nexxt Solutions", "product": "Nebula 300+", "versions": [{"status": "affected", "version": "<= 12.01.01.37"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the <code>ecos_pw</code> cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints."}]}], "references": [{"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/", "name": "Official product page"}, {"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip", "name": "Firmware download"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Angel Barre (call4pwn)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:16:34.823978Z", "id": "CVE-2026-31848", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:51:59.795Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31848", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T15:16:34.823978Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:16:35.967Z"}}], "cna": {"title": "Reversible ecos_pw Cookie Allows Authentication Bypass in Nexxt Nebula 300+", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Angel Barre (call4pwn)"}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who obtains or reconstructs the ecos_pw cookie value can authenticate as an administrator and gain unauthorized access to the device."}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Nexxt Solutions", "product": "Nebula 300+", "versions": [{"status": "affected", "version": "<= 12.01.01.37"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/", "name": "Official product page"}, {"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip", "name": "Firmware download"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints.", "supportingMedia": [{"type": "text/html", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the <code>ecos_pw</code> cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-26T10:45:19.121Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31848", "state": "PUBLISHED", "dateUpdated": "2026-03-26T10:45:19.121Z", "dateReserved": "2026-03-09T18:20:23.399Z", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "datePublished": "2026-03-23T12:09:30.338Z", "assignerShortName": "TuranSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints."}, {"lang": "es", "value": "El firmware de Nexxt Solutions Nebula 300+ hasta la versi\u00f3n 12.01.01.37 almacena material de autenticaci\u00f3n administrativa en la cookie ecos_pw utilizando un formato codificado en Base64 reversible con un sufijo est\u00e1tico. Un atacante que obtiene o deriva este valor de cookie puede falsificar una sesi\u00f3n administrativa v\u00e1lida y obtener acceso no autorizado al dispositivo."}], "id": "CVE-2026-31848", "lastModified": "2026-03-26T11:16:20.677", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-03-23T13:16:30.490", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,12.01.01.37]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Nebula 300+", "source": "cna", "vendor": "Nexxt Solutions"}, "product": "nebula300+", "vendor": "nexxtsolutions"}], "analysis": {"en": {"generated_at": "2026-03-26T12:50:23.300068+00:00", "value": {"mitigation_remediation": ["Apply the latest Nebula 300+ firmware update that removes reliance on the reversible ecos_pw cookie", "Restrict network access to the device\u2019s administrative interfaces to trusted IP ranges while the patch is applied", "Verify the firmware version after updating and monitor for further vendor patches"], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All Nexxt Solutions Nebula 300+ units running firmware version 12.01.01.37 or earlier are vulnerable to this flaw. The issue is contained within the firmware of this product family and any installation with a version equal to or older than 12.01.01.37 must be examined.", "description_and_impact": "The Nebula 300+ firmware uses an ecos_pw cookie that stores Base64\u2011encoded credential data with a static suffix. Because the encoding is reversible and the cookie lacks integrity checks, an attacker can create a valid cookie without authenticating. Submitting such a forged cookie allows the attacker to gain administrative access to protected endpoints, threatening confidentiality, integrity, and availability of the device.", "risk_and_exploitability": "The CVSS score of 8.7 rates this vulnerability as high. The EPSS of less than 1% indicates that exploitation is currently unlikely, and it is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker can craft a valid ecos_pw cookie and send it to any reachable Nebula 300+ device, bypassing authentication without requiring local access or additional privileges."}}}}, "created": "2026-03-24T10:34:39.203112+00:00", "updated": "2026-03-26T13:55:19.576164+00:00", "vendors": ["nexxtsolutions", "nexxtsolutions$PRODUCT$nebula300+"]}