[Japanese]

JVNDB-2025-001898

Multiple vulnerabilities in FutureNet AS series (Industrial Routers) and FA series (Protocol Conversion Machine)

Overview

FutureNet AS series (Industrial Routers) and FA series (Protocol Conversion Machine) provided by Century Systems Co., Ltd. contain multiple vulnerabilities listed below.

* Authentication Bypass (CWE-288) - CVE-2025-24846
* Buffer Overflow (CWE-120) - CVE-2025-25280

Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-24846


CVSS V3 Severity:
Base Metrics5.3 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2025-25280
Affected Products


Century Systems Co., Ltd.
  • FutureNet AS-210/U4 firmware Version 2.6.4 and earlier (CVE-2025-24846)
  • FutureNet AS-210/U4 firmware Version 2.6.6 and earlier (CVE-2025-25280)
  • FutureNet AS-250/F-KO firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
  • FutureNet AS-250/F-SC firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
  • FutureNet AS-250/KL Rev2 firmware Version 2.6.4 and earlier (CVE-2025-24846)
  • FutureNet AS-250/KL Rev2 firmware Version 2.6.6 and earlier (CVE-2025-25280)
  • FutureNet AS-250/KL firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
  • FutureNet AS-250/L firmware Version 2.6.4 and earlier (CVE-2025-24846)
  • FutureNet AS-250/L firmware Version 2.6.6 and earlier (CVE-2025-25280)
  • FutureNet AS-250/NL firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
  • FutureNet AS-250/S firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
  • FutureNet AS-M250/KL firmware Version 2.6.4 and earlier (CVE-2025-24846)
  • FutureNet AS-M250/KL firmware Version 3.0.0 and earlier (CVE-2025-25280)
  • FutureNet AS-M250/L firmware Version 2.6.4 and earlier (CVE-2025-24846)
  • FutureNet AS-M250/L firmware Version 3.0.0 and earlier (CVE-2025-25280)
  • FutureNet AS-M250/NL firmware Version 2.6.4 and earlier (CVE-2025-24846)
  • FutureNet AS-M250/NL firmware Version 3.0.0 and earlier (CVE-2025-25280)
  • FutureNet AS-P250/KL firmware Version 2.6.4 and earlier (CVE-2025-24846)
  • FutureNet AS-P250/KL firmware Version 2.6.6 and earlier (CVE-2025-25280)
  • FutureNet AS-P250/NL firmware Version 2.6.4 and earlier (CVE-2025-24846)
  • FutureNet AS-P250/NL firmware Version 2.6.6 and earlier (CVE-2025-25280)
  • FutureNet FA-210 firmware Version 1.1.9 and earlier (CVE-2025-25280)
  • FutureNet FA-215 firmware Version 1.0.1 and earlier (CVE-2025-25280)

Impact

* An unauthenticated attacker may obtain the device information such as MAC address by sending a specially crafted request (CVE-2025-24846)
* An unauthenticated attacker may reboot the device by sending a specially crafted request (CVE-2025-25280)
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.

[Apply the workaround]
The developer also provides the workaround information.

[Stop using the unsupported products]
Some of the affected products are no longer supported.
(See End of sales products (in Japanese))

The developer recommends to stop using them and to switch to alternatives.

For more information, refer to the information provided by the developer.

Vendor Information

Century Systems Co., Ltd.
CWE (What is CWE?)

  1. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')(CWE-120) [Other]
  2. Authentication Bypass Using an Alternate Path or Channel(CWE-288) [Other]
CVE (What is CVE?)

  1. CVE-2025-24846
  2. CVE-2025-25280
References

  1. JVN : JVNVU#96398949
Revision History

  • [2025/03/04]
      Web page was published