CVE-2026-31850 - Vulnerability Details

- Plaintext Storage of Credentials in Configuration Backup in Nexxt Nebula 300+

Description

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information.

Published: 2026-03-23

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 writes administrative credentials and WiFi pre‑shared keys in plaintext within exported configuration backup files. The vulnerability, identified as CWE‑256, allows an attacker who can obtain a backup to read sensitive authentication information directly. This exposure can enable unauthorized access to the device’s administrative interface, compromise network security, and potentially allow lateral movement to other systems on the same WiFi network.

Affected Systems

Affected products are Nexxt Solutions Nebula 300+. The issue exists in all firmware releases up to and including 12.01.01.37. No explicit later versions are listed as affected, therefore any device running a firmware version older than 12.01.01.38 may be vulnerable.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity. The EPSS score of less than 1 % suggests low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to obtain an exported configuration backup, which can occur through legitimate user functionality or potentially via other weaknesses that provide access to the backup export. While no remote code execution is available, the ability to read credentials directly provides a high‑impact means for privilege escalation and network compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Nexxt Solutions

Nebula 300+

unaffected

Version	Status	Constraints
`<= 12.01.01.37`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:nexxtsolutions:nebula300plus_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:nexxtsolutions:nebula300plus:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Nexxtsolutions

Nebula300+

100%

Version	Status	Scheme	Platform
`[0,12.01.01.37]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Nebula 300+ firmware to version 12.01.01.38 or later to eliminate plaintext credential storage
Restrict or disable the configuration backup export feature if not required for operations
Educate users and administrators to verify that backup files no longer contain plaintext credentials and WiFi keys
Monitor logs for unauthorized backup download activity to detect potential exploitation attempts

Generated by OpenCVE AI on March 26, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip
https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/

History

Wed, 29 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nexxtsolutions nebula300plus Nexxtsolutions nebula300plus Firmware
CPEs		cpe:2.3:h:nexxtsolutions:nebula300plus:-:::::::* cpe:2.3:o:nexxtsolutions:nebula300plus_firmware::::::::
Vendors & Products		Nexxtsolutions nebula300plus Nexxtsolutions nebula300plus Firmware
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Thu, 26 Mar 2026 11:00:00 +0000

Type	Values Removed	Values Added
Description	Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files.	Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files. These backup files can be obtained through legitimate functionality or other weaknesses and do not apply encryption or hashing, allowing attackers to directly extract sensitive information.
Title	Plaintext storage of credentials in configuration backup in Nexxt Nebula 300+	Plaintext Storage of Credentials in Configuration Backup in Nexxt Nebula 300+

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nexxtsolutions Nexxtsolutions nebula300+
Vendors & Products		Nexxtsolutions Nexxtsolutions nebula300+

Mon, 23 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores sensitive information, including administrative credentials and WiFi pre-shared keys, in plaintext within exported configuration backup files.
Title		Plaintext storage of credentials in configuration backup in Nexxt Nebula 300+
Weaknesses		CWE-256
References		https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/
Metrics		cvssV4_0 `{'score': 6.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Nexxtsolutions Nebula300+ Nebula300plus Nebula300plus Firmware

MITRE

Status: PUBLISHED

Assigner: TuranSec

Published: 2026-03-23T12:21:41.917Z

Updated: 2026-03-26T10:46:21.810Z

Reserved: 2026-03-09T18:20:23.399Z

Link: CVE-2026-31850

Vulnrichment

Updated: 2026-03-23T15:07:12.229Z

NVD

Status : Analyzed

Published: 2026-03-23T13:16:30.807

Modified: 2026-04-29T17:39:51.817

Link: CVE-2026-31850

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T13:55:17Z

Weaknesses

CWE-256

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object