CVE-2026-31846
Credential Disclosure in Nexxt Nebula300+ via /goform/ate Endpoint
Publication date: 2026-03-23
Last updated on: 2026-03-26
Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nexxt_solutions | nebula_300+ | 12.01.01.37 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unauthenticated credential disclosure issue found in the /goform/ate endpoint of Nexxt Solutions Nebula 300+ firmware versions up to Nebula300+_v12.01.01.37.
An attacker who is adjacent to the device (on the same network segment) can send a specially crafted HTTP request to this endpoint and obtain the administrator password in Base64-encoded form without needing to authenticate.
Once the attacker recovers the administrator credential, they can use it to log into the device and potentially carry out further attacks by exploiting other weaknesses in the firmware.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker on the same network can gain unauthorized access to the administrator account of the affected device.
With the administrator password, the attacker can authenticate to the device, which may allow them to change configurations, intercept network traffic, or exploit additional vulnerabilities present in the firmware.
This can lead to a compromise of the device's security and potentially the broader network it is connected to.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the /goform/ate endpoint on Nexxt Solutions Nebula 300+ devices. An attacker sends a crafted HTTP request to this endpoint to retrieve the administrator password in Base64-encoded form.
To detect attempts or exploitation, you can capture and analyze network traffic for HTTP requests targeting the /goform/ate endpoint from adjacent network sources.
Example commands to detect such activity include using packet capture tools like tcpdump or Wireshark:
- tcpdump -i <interface> 'tcp port 80 and (((ip src <adjacent_network>) and (tcp[32:4] = 0x2f676f66)) or (tcp[((tcp[12] & 0xf0) >> 2):4] = 0x2f676f66))'
- In this command, '0x2f676f66' is the hex representation of '/gof' (start of '/goform/ate'), and <interface> and <adjacent_network> should be replaced with your network interface and adjacent network IP range respectively.
Alternatively, you can use web server logs or intrusion detection systems to look for HTTP requests to /goform/ate endpoint without authentication.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable device's management interface to trusted networks only, especially blocking access from adjacent networks where possible.
Since the vulnerability allows unauthenticated disclosure of administrator credentials via the /goform/ate endpoint, disabling or restricting access to this endpoint can help mitigate the risk.
Additionally, changing the administrator password after any suspected compromise is recommended.
Monitoring for unusual HTTP requests to the /goform/ate endpoint and applying network segmentation to limit exposure can also reduce the attack surface.
Finally, check for firmware updates from Nexxt Solutions that address this vulnerability and apply them as soon as they become available.