CVE-2021-39245
Description
Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hardcoded .htaccess credentials for getlogs.cgi exist in multiple Altus Nexto, Nexto Xpress, and Hadron Xtorm devices, enabling unauthenticated access to sensitive logs.
Vulnerability
Hardcoded credentials in the .htaccess file protect the getlogs.cgi CGI script on Altus Nexto, Nexto Xpress, and Hadron Xtorm industrial automation devices. This affects Nexto NX3003, NX3004, NX3005, NX3010, NX3020, NX3030, NX5100, NX5101, NX5110, and NX5210 models; Nexto Xpress XP300, XP315, XP325, and XP340 models; and Hadron Xtorm HX3040 model. The vulnerability exists in firmware versions 1.8.11.0, 1.8.3.0, 1.1.2.8, and 1.7.58.0 as listed in the advisory [1].
Exploitation
An attacker with network access to the device's web interface can exploit the hardcoded credentials by simply using the known username and password to authenticate to getlogs.cgi. No prior authentication or user interaction is required, and the credentials are not obfuscated. The attacker can retrieve log files by directly accessing the endpoint [1].
Impact
Successful exploitation results in disclosure of system logs, which may contain sensitive operational data, configuration details, or debugging information that could aid further attacks. The impact is limited to information disclosure, but it undermines device security assumptions and can be a stepping stone for broader compromise [1].
Mitigation
Altus has not released a public patch or advisory at the time of this writing (reference [1] does not detail a fix). The devices listed may be end-of-life or unsupported. As a workaround, restrict network access to the web interface to trusted hosts only or disable the getlogs.cgi script if not required. No CISA KEV listing was found for this CVE.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Altus/Nexto Xpressdescription
- Range: = 1.8.11.0
- Range: = 1.8.11.0
- Range: = 1.7.58.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- seclists.org/fulldisclosure/2021/Aug/21mitrex_refsource_MISC
- www.altus.com.brmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.