{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31850", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-03-09T18:20:23.399Z", "datePublished": "2026-03-23T12:21:41.917Z", "dateUpdated": "2026-03-26T10:46:21.810Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-26T10:46:21.810Z"}, "title": "Plaintext Storage of Credentials in Configuration Backup in Nexxt Nebula 300+", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who obtains a configuration backup file can extract administrative credentials and WiFi pre-shared keys in plaintext."}]}], "affected": [{"vendor": "Nexxt Solutions", "product": "Nebula 300+", "versions": [{"status": "affected", "version": "<= 12.01.01.37"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information."}]}], "references": [{"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"}, {"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.8, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Angel Barre (call4pwn)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:10.958896Z", "id": "CVE-2026-31850", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:51:46.991Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31850", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:10.958896Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:12.229Z"}}], "cna": {"title": "Plaintext Storage of Credentials in Configuration Backup in Nexxt Nebula 300+", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Angel Barre (call4pwn)"}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who obtains a configuration backup file can extract administrative credentials and WiFi pre-shared keys in plaintext."}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.8, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Nexxt Solutions", "product": "Nebula 300+", "versions": [{"status": "affected", "version": "<= 12.01.01.37"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"}, {"url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information.", "supportingMedia": [{"type": "text/html", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password"}]}], "providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-26T10:46:21.810Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31850", "state": "PUBLISHED", "dateUpdated": "2026-03-26T10:46:21.810Z", "dateReserved": "2026-03-09T18:20:23.399Z", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "datePublished": "2026-03-23T12:21:41.917Z", "assignerShortName": "TuranSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information."}, {"lang": "es", "value": "El firmware de Nexxt Solutions Nebula 300+ hasta la versi\u00f3n 12.01.01.37 almacena informaci\u00f3n sensible, incluyendo credenciales administrativas y claves precompartidas de WiFi, en texto plano dentro de los archivos de copia de seguridad de configuraci\u00f3n exportados."}], "id": "CVE-2026-31850", "lastModified": "2026-03-26T11:16:20.977", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-03-23T13:16:30.807", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-256"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,12.01.01.37]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Nebula 300+", "source": "cna", "vendor": "Nexxt Solutions"}, "product": "nebula300+", "vendor": "nexxtsolutions"}], "analysis": {"en": {"generated_at": "2026-03-26T12:22:17.083774+00:00", "value": {"mitigation_remediation": ["Upgrade Nebula\u202f300+ firmware to version 12.01.01.38 or later to eliminate plaintext credential storage", "Restrict or disable the configuration backup export feature if not required for operations", "Educate users and administrators to verify that backup files no longer contain plaintext credentials and WiFi keys", "Monitor logs for unauthorized backup download activity to detect potential exploitation attempts"], "summary": {"action": "Patch Immediately", "impact": "Credential Compromise"}, "threat_synthesis": {"affected_systems": "Affected products are Nexxt Solutions Nebula\u202f300+. The issue exists in all firmware releases up to and including 12.01.01.37. No explicit later versions are listed as affected, therefore any device running a firmware version older than 12.01.01.38 may be vulnerable.", "description_and_impact": "Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 writes administrative credentials and WiFi pre\u2011shared keys in plaintext within exported configuration backup files. The vulnerability, identified as CWE\u2011256, allows an attacker who can obtain a backup to read sensitive authentication information directly. This exposure can enable unauthorized access to the device\u2019s administrative interface, compromise network security, and potentially allow lateral movement to other systems on the same WiFi network.", "risk_and_exploitability": "The CVSS score of 6.8 indicates medium severity. The EPSS score of less than 1\u202f% suggests low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to obtain an exported configuration backup, which can occur through legitimate user functionality or potentially via other weaknesses that provide access to the backup export. While no remote code execution is available, the ability to read credentials directly provides a high\u2011impact means for privilege escalation and network compromise."}}}}, "created": "2026-03-24T10:34:37.472349+00:00", "updated": "2026-03-26T13:55:17.682418+00:00", "vendors": ["nexxtsolutions", "nexxtsolutions$PRODUCT$nebula300+"]}