CVE-2021-39244
Description
Authenticated Semi-Blind Command Injection (via Parameter Injection) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via the getlogs.cgi tcpdump feature. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated semi-blind command injection in Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via getlogs.cgi tcpdump feature allows parameter injection.
Vulnerability
The vulnerability resides in the getlogs.cgi script's tcpdump feature on Altus Nexto, Nexto Xpress, and Hadron Xtorm programmable automation controllers (PACs). An authenticated attacker can inject additional operating system commands through the parameters accepted by this script, leading to semi-blind command injection. The affected versions include Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0 [1].
Exploitation
The attack requires prior authentication to the device's web interface. An authenticated attacker crafts a malicious HTTP request to the getlogs.cgi endpoint, injecting command parameters that are not properly sanitized. The injection is semi-blind — the attacker cannot directly see the command's output but can observe its effects (e.g., through timing or side channels) or use out-of-band techniques. No additional user interaction is necessary beyond the initial authentication step.
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the affected device with the privileges of the web server process. This can lead to full compromise of the device, including information disclosure, modification of system configuration, and potential interruption of control operations. The attacker gains a foothold on a critical infrastructure component [1].
Mitigation
As of the publication date (2021-08-23), no official patches or workarounds have been disclosed by the vendor Altus. The vendor's website [1] may be monitored for future security updates. Until a fix is available, restrict authenticated access to the affected devices using network segmentation and strict firewall rules, and monitor logs for suspicious requests to getlogs.cgi.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Altus/Nexto Xpressdescription
- Range: =1.7.58.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- seclists.org/fulldisclosure/2021/Aug/21mitrex_refsource_MISC
- www.altus.com.brmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.