|
[Japanese]
|
JVNDB-2025-001898
|
Multiple vulnerabilities in FutureNet AS series (Industrial Routers) and FA series (Protocol Conversion Machine)
|
|
FutureNet AS series (Industrial Routers) and FA series (Protocol Conversion Machine) provided by Century Systems Co., Ltd. contain multiple vulnerabilities listed below.
* Authentication Bypass (CWE-288) - CVE-2025-24846
* Buffer Overflow (CWE-120) - CVE-2025-25280
Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 7.5 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-24846
|
CVSS V3 Severity:
Base Metrics5.3 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2025-25280
|
|
|
Century Systems Co., Ltd.
- FutureNet AS-210/U4 firmware Version 2.6.4 and earlier (CVE-2025-24846)
- FutureNet AS-210/U4 firmware Version 2.6.6 and earlier (CVE-2025-25280)
- FutureNet AS-250/F-KO firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
- FutureNet AS-250/F-SC firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
- FutureNet AS-250/KL Rev2 firmware Version 2.6.4 and earlier (CVE-2025-24846)
- FutureNet AS-250/KL Rev2 firmware Version 2.6.6 and earlier (CVE-2025-25280)
- FutureNet AS-250/KL firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
- FutureNet AS-250/L firmware Version 2.6.4 and earlier (CVE-2025-24846)
- FutureNet AS-250/L firmware Version 2.6.6 and earlier (CVE-2025-25280)
- FutureNet AS-250/NL firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
- FutureNet AS-250/S firmware Version 1.14.0 and earlier (CVE-2025-24846, CVE-2025-25280)
- FutureNet AS-M250/KL firmware Version 2.6.4 and earlier (CVE-2025-24846)
- FutureNet AS-M250/KL firmware Version 3.0.0 and earlier (CVE-2025-25280)
- FutureNet AS-M250/L firmware Version 2.6.4 and earlier (CVE-2025-24846)
- FutureNet AS-M250/L firmware Version 3.0.0 and earlier (CVE-2025-25280)
- FutureNet AS-M250/NL firmware Version 2.6.4 and earlier (CVE-2025-24846)
- FutureNet AS-M250/NL firmware Version 3.0.0 and earlier (CVE-2025-25280)
- FutureNet AS-P250/KL firmware Version 2.6.4 and earlier (CVE-2025-24846)
- FutureNet AS-P250/KL firmware Version 2.6.6 and earlier (CVE-2025-25280)
- FutureNet AS-P250/NL firmware Version 2.6.4 and earlier (CVE-2025-24846)
- FutureNet AS-P250/NL firmware Version 2.6.6 and earlier (CVE-2025-25280)
- FutureNet FA-210 firmware Version 1.1.9 and earlier (CVE-2025-25280)
- FutureNet FA-215 firmware Version 1.0.1 and earlier (CVE-2025-25280)
|
|
|
* An unauthenticated attacker may obtain the device information such as MAC address by sending a specially crafted request (CVE-2025-24846)
* An unauthenticated attacker may reboot the device by sending a specially crafted request (CVE-2025-25280)
|
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
[Apply the workaround]
The developer also provides the workaround information.
[Stop using the unsupported products]
Some of the affected products are no longer supported.
(See End of sales products (in Japanese))
The developer recommends to stop using them and to switch to alternatives.
For more information, refer to the information provided by the developer.
|
|
Century Systems Co., Ltd.
|
|
- Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')(CWE-120) [Other]
- Authentication Bypass Using an Alternate Path or Channel(CWE-288) [Other]
|
|
- CVE-2025-24846
- CVE-2025-25280
|
|
- JVN : JVNVU#96398949
|
|
- [2025/03/04]
Web page was published
|
