CVE-2021-39245
7.5 HIGHHardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices
Published: 2021-08-23 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-798
Affected products
| Vendor | Product |
|---|---|
| altus | hadron_xtorm_hx3040_firmware, nexto_nx3003_firmware, nexto_nx3004_firmware |
Description
Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39245
- [Exploit reference]https://seclists.org/fulldisclosure/2021/Aug/21
- [Vendor advisory]https://www.altus.com.br/
- [Exploit reference]https://seclists.org/fulldisclosure/2021/Aug/21
- [Vendor advisory]https://www.altus.com.br/
Related CVEs
Same vendor
- CVE-2021-39244 — Authenticated Semi-Blind Command Injection (via Parameter Injection) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via th... (8.8 HIGH)
- CVE-2021-39243 — Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint (6.5 MEDIUM)
Same CWE
- CVE-2026-22312 — The device has a webserver that exposes a REST API authenticated with a constant token (8.6 HIGH)
- CVE-2026-50083 — The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-... (9.1 CRITICAL)
- CVE-2026-10557 — The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices (9.8 CRITICAL)
- CVE-2026-11849 — The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remo... (9.8 CRITICAL)
- CVE-2026-47281 — Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network (9.6 CRITICAL)