Skip to main content

Dbit N300 T1 Pro CVE-2025-65427

MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2025-12-16 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
9.8 CRITICAL

Successful brute-force yields full admin access, granting complete confidentiality, integrity, and availability impact over the device and all traffic it routes.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 04:23 vuln.today

DescriptionCVE.org

An issue was discovered in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router on firmware version V1.0.0 does not implement rate limiting to /api/login allowing attackers to brute force password enumerations.

AnalysisAI

Unauthenticated remote brute-force of the Dbit N300 T1 Pro wireless router (firmware V1.0.0) is trivially achievable because the /api/login endpoint imposes no rate limiting, account lockout, or throttling of any kind. Any attacker with network access to the management interface can attempt unlimited password guesses until admin credentials are found. A publicly available proof-of-concept exploit exists on GitHub; however, EPSS at 0.29% (21st percentile) and absence from CISA KEV suggest exploitation remains limited in practice, likely constrained by the product's small market footprint.

Technical ContextAI

The affected device is identified by CPE cpe:2.3:o:dbitnet:dbit_n300_t1_pro_firmware:1.0.0:*:*:*:*:*:*:*, a consumer-grade 802.11n Wi-Fi router running a REST-style web management API. The root cause maps to CWE-307 (Improper Restriction of Excessive Authentication Attempts): the /api/login endpoint does not implement request throttling, exponential backoff, temporary lockout after failed attempts, CAPTCHA challenges, or IP-based blocking. This is a well-documented implementation failure common in budget embedded devices where the management interface is built without hardened authentication controls. The attack surface is the router's web API, which is always enabled as it provides the primary configuration UI.

RemediationAI

No vendor-released patched firmware version has been identified at the time of analysis - the reference to http://dbit.com does not resolve to a specific advisory or fixed firmware download, and no patch version appears in available NVD or reference data. As immediate compensating controls: disable remote (WAN-side) management on the router if it is enabled, ensuring the admin panel is accessible only from the LAN - this limits exploitation to local network attackers. Apply firewall or ACL rules at the network perimeter to block external access to the router's management port (commonly TCP 80, 443, or 8080). Set a long, high-entropy admin password immediately, as strong credentials substantially increase the time and resources required for a successful brute-force even in the absence of rate limiting. Monitor http://dbit.com for firmware updates and apply any security releases promptly.

Share

CVE-2025-65427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy