Multiple vulnerabilities in Century Systems FutureNet AS series and FA series
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2025-24846 CVE-2025-25280 |
| CWE-ID | CWE-288 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
FutureNet AS-250/S Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-250/F-SC Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-250/F-KO Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-250/NL Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-250/KL Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-250/KL Rev2 Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-250/L Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-M250/L Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-M250/KL Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-M250/NL Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-P250/NL Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-P250/KL Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet AS-210/U4 Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet FA-210 Hardware solutions / Routers & switches, VoIP, GSM, etc FutureNet FA-215 Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Century Systems |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Authentication bypass using an alternate path or channel
EUVDB-ID: #VU105108
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-24846
CWE-ID:
CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the authentication bypass using an alternate path or channel. A remote attacker can send a specially crafted request and obtain the device information such as MAC address.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFutureNet AS-250/S: 1.14.0
FutureNet AS-250/F-SC: 1.14.0
FutureNet AS-250/F-KO: 1.14.0
FutureNet AS-250/NL: 1.14.0
FutureNet AS-250/KL: 1.14.0
FutureNet AS-250/KL Rev2: 2.6.4
FutureNet AS-250/L: 2.6.4
FutureNet AS-M250/L: 2.6.4
FutureNet AS-M250/KL: 2.6.4
FutureNet AS-M250/NL: 2.6.4
FutureNet AS-P250/NL: 2.6.4
FutureNet AS-P250/KL: 2.6.4
FutureNet AS-210/U4: 2.6.4
CPE2.3- cpe:2.3:h:century_systems:futurenet_as-250_s:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_s:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_f-sc:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_f-sc:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_f-ko:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_f-ko:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_nl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_nl:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_kl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_kl:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_kl_rev2:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_l:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-m250_l:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-m250_kl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-m250_nl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-p250_nl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-p250_kl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-210_u4:*:*:*:*:*:*:*:*
https://jvn.jp/en/vu/JVNVU96398949/index.html
https://www.centurysys.co.jp/backnumber/common/jvnvu96398949.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU105111
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-25280
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error. A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFutureNet AS-250/S: 1.14.0
FutureNet AS-250/F-SC: 1.14.0
FutureNet AS-250/F-KO: 1.14.0
FutureNet AS-250/NL: 1.14.0
FutureNet AS-250/KL: 1.14.0
FutureNet AS-250/KL Rev2: 2.6.4
FutureNet AS-250/L: 2.6.4
FutureNet AS-M250/L: 2.6.4
FutureNet AS-M250/KL: 2.6.4
FutureNet AS-M250/NL: 2.6.4
FutureNet AS-P250/NL: 2.6.4
FutureNet AS-P250/KL: 2.6.4
FutureNet AS-210/U4: 2.6.4
FutureNet FA-210: 1.1.9
FutureNet FA-215: 1.0.1
CPE2.3- cpe:2.3:h:century_systems:futurenet_as-250_s:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_s:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_f-sc:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_f-sc:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_f-ko:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_f-ko:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_nl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_nl:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_kl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_kl:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_kl_rev2:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-250_l:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-m250_l:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-m250_kl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-m250_nl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-p250_nl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-p250_kl:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_as-210_u4:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_fa-210:*:*:*:*:*:*:*:*
- cpe:2.3:h:century_systems:futurenet_fa-215:*:*:*:*:*:*:*:*
https://jvn.jp/en/vu/JVNVU96398949/index.html
https://www.centurysys.co.jp/backnumber/common/jvnvu96398949.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
