CVE-2026-31848 PUBLISHED

Reversible ecos_pw cookie allows administrative authentication in Nexxt Nebula 300+

Assigner: TuranSec
Reserved: 09.03.2026 Published: 23.03.2026 Updated: 23.03.2026

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 stores administrative authentication material in the ecos_pw cookie using a reversible Base64-encoded format with a static suffix. An attacker who obtains or derives this cookie value can forge a valid administrative session and gain unauthorized access to the device.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Nexxt Solutions
Product	Nebula 300+
Versions	Default: unaffected Version <= 12.01.01.37 is affected

Credits

Angel Barre (call4pwn) finder

References

Problem Types

CWE-312 Cleartext Storage of Sensitive Information CWE

Impacts

An attacker who obtains or reconstructs the ecos_pw cookie value can authenticate as an administrator and gain unauthorized access to the device.