CVE-2021-39243
Description
Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Altus Nexto, Nexto Xpress, and Hadron Xtorm devices allows attackers to trigger state-changing actions via crafted requests.
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web interface of multiple Altus programmable logic controller (PLC) families: Nexto NX3003 (version 1.8.11.0), NX3004 (1.8.11.0), NX3005 (1.8.11.0), NX3010 (1.8.3.0), NX3020 (1.8.3.0), NX3030 (1.8.3.0), NX5100 (1.8.11.0), NX5101 (1.8.11.0), NX5110 (1.1.2.8), NX5210 (1.1.2.8); Nexto Xpress XP300 (1.8.11.0), XP315 (1.8.11.0), XP325 (1.8.11.0), XP340 (1.8.11.0); and Hadron Xtorm HX3040 (1.7.58.0). The vulnerability affects every CGI endpoint, meaning any authenticated action that can be performed via the web interface is susceptible to CSRF if the victim is tricked into visiting an attacker-controlled page [1].
Exploitation
An attacker must craft a malicious web page or email that contains a forged request targeting any CGI endpoint on an affected device. The victim must be authenticated to the device's web interface in the same browser session. No special network position is required beyond the ability to deliver the malicious content to the victim (e.g., via phishing). The attacker does not need any prior access to the device. The forged request is automatically submitted when the victim loads the attacker's content, leveraging the victim's existing session [1].
Impact
Successful exploitation allows the attacker to perform any action that the authenticated victim can perform on the device's web interface. This could include modifying device configuration, firmware settings, or other operational parameters, potentially leading to disruption of industrial control processes. The impact is limited to the privileges of the victim session; no privilege escalation is achieved [1].
Mitigation
As of the publication date (2021-08-23), no fixed versions or official workarounds have been disclosed by Altus in the available references [1]. Users should consider implementing network-level protections such as restricting access to the device web interface to trusted IPs only, and ensuring that operators do not browse untrusted sites while authenticated to the device. The vendor's advisory or updated firmware should be monitored for future patches.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Altus/Nexto Xpressdescription
- Range: = 1.8.11.0
- Range: = 1.8.11.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- seclists.org/fulldisclosure/2021/Aug/21mitrex_refsource_MISC
- www.altus.com.brmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.