Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores administrative authentication material in the ecos_pw cookie using a reversible Base64-encoded format with a static suffix. An attacker who obtains or derives this cookie value can forge a valid administrative session and gain unauthorized access to the device.
AnalysisAI
The Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 contains an authentication bypass vulnerability where administrative credentials are stored in the ecos_pw cookie using reversible Base64 encoding with a static suffix, allowing attackers who obtain this cookie to forge valid administrative sessions and gain unauthorized device access. The vulnerability affects a network appliance product line and represents a critical authentication control failure. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown; however, the reversible encoding mechanism and static suffix suggest this is likely highly exploitable in practice.
Technical ContextAI
The vulnerability stems from improper credential storage in HTTP cookies, violating CWE-312 (Cleartext Storage of Sensitive Information). The Nexxt Solutions Nebula 300+ (identified via CPE cpe:2.3:a:nexxt_solutions:nebula_300+:*:*:*:*:*:*:*:*) uses a cookie-based session mechanism for administrative authentication; instead of storing cryptographically-derived session tokens, the firmware stores authentication material directly in the ecos_pw cookie using Base64 encoding—a reversible, non-cryptographic encoding scheme. The addition of a static suffix further weakens security by making the encoding format predictable and reducing effective entropy. This design assumes obscurity rather than implementing proper credential handling such as salted hashing, encrypted storage, or server-side session tokens.
RemediationAI
Upgrade Nexxt Solutions Nebula 300+ firmware to a version newer than 12.01.01.37 as soon as a patched release is available from the vendor (consult https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/ for updates). Until a patch is deployed, implement network-level controls: restrict administrative access to the device via network segmentation or firewall rules limiting management traffic to trusted IP ranges, enforce HTTPS-only communication to reduce cookie interception risk, disable or restrict cookie-based authentication in favor of certificate-based or multi-factor authentication if the device supports it, and monitor for suspicious administrative login activity. Additionally, audit all active administrative sessions and consider rotating any administrative credentials that may have been exposed. Isolate affected Nebula 300+ devices from untrusted networks until patching is complete.
More in Nebula 300
View allA hidden functionality vulnerability exists in the /goform/setSysTools endpoint of Nexxt Solutions Nebula 300+ firmware
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 lacks rate limiting and account lockout mechanisms on i
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw affecting the Nexxt Solutions Nebula 300+ device firmware
The Nexxt Solutions Nebula 300+ wireless router stores sensitive administrative credentials and WiFi pre-shared keys in
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14415
GHSA-7xw4-69gx-5gch