FURUNO SYSTEMS Managed Switch ACERA 9010 running in non MS mode with the initial configuration has no password


In the initial configuration of Managed Switch ACERA 9010 provided by FURUNO Systems Co., Ltd., the password is empty (CWE-258) and the remote access service is enabled.

The products are affected only when running in non MS mode with the initial configuration.

FURUNO SYSTEMS Co.,Ltd. reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products

  • ACERA 9010-08 firmware v02.04 and earlier
  • ACERA 9010-24 firmware v02.04 and earlier

According to the developer, they are not affected when running in MS mode (in this mode, the device is managed by a UNIFAS server).

An unauthenticated attacker may log in to the product with no password, and obtain and/or alter information such as network configuration and user information.

Set a password using CLI commands, if the affected product is used without configuring any password.
For more information, refer to the information provided by the developer.
Vendor Information

CWE (What is CWE?)

  1. Empty Password in Configuration File(CWE-258) [Other]
CVE (What is CVE?)

  1. CVE-2024-28744

  1. JVN : JVNVU#99285099
Revision History

  • [2024/04/02]
      Web page was published