Skip to main content

Nebula 300 Tenda F3 V2 0 Firmware CVE-2026-31846

| EUVDEUVD-2026-14402 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-03-23 TuranSec
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 12:15 euvd
EUVD-2026-14402
Analysis Generated
Mar 23, 2026 - 12:15 vuln.today
CVE Published
Mar 23, 2026 - 12:00 nvd
HIGH 7.1

DescriptionCVE.org

An unauthenticated credential disclosure vulnerability in the /goform/ate endpoint of Nexxt Solutions Nebula 300+ firmware through Nebula300+_v12.01.01.37 allows an adjacent attacker to obtain the administrator password in Base64-encoded form via a crafted HTTP request. The recovered credential can be used to authenticate to the device and facilitates further compromise when combined with other weaknesses present in the firmware.

AnalysisAI

An unauthenticated credential disclosure vulnerability exists in the /goform/ate endpoint of Nexxt Solutions Nebula 300+ firmware (including Tenda F3 v2.0 rebranded variants) through version 12.01.01.37, allowing adjacent network attackers to retrieve the Base64-encoded administrator password without authentication. The recovered credentials enable full device authentication and privilege escalation, facilitating further compromise when combined with other firmware weaknesses. No active KEV listing or public POC availability is currently documented, though the CVSS 6.5 score reflects the significant confidentiality impact despite network-adjacency requirement.

Technical ContextAI

The vulnerability resides in improper input validation and missing authentication controls on the /goform/ate endpoint, a common attack surface in embedded router firmware. The root cause is classified as CWE-306 (Missing Authentication for Critical Function), indicating that credential retrieval functionality lacks proper authorization checks. The affected CPE (cpe:2.3:a:nexxt_solutions:nebula_300+_/_tenda_f3_v2.0_firmware) encompasses both the original Nexxt Nebula 300+ product line and rebranded Tenda F3 v2.0 devices, suggesting shared firmware codebases between vendors. The /goform/ endpoint pattern is typical in consumer router firmware where form-based configuration and management functions are exposed via HTTP, often with insufficient access controls. The Base64 encoding of credentials suggests weak obfuscation rather than cryptographic protection, indicating the developers relied on obscurity rather than proper secrets management.

RemediationAI

Users must upgrade their Nexxt Nebula 300+ or Tenda F3 v2.0 device firmware to a patched version released after 12.01.01.37 (consult https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/ for the latest available release). Until patching is possible, implement network segmentation to restrict access to the device's management interface to trusted administrative networks only, disable remote management features via the device configuration if available, and monitor for suspicious HTTP requests to the /goform/ate endpoint via packet capture or device logs. Additionally, change the default administrator password immediately and consider deploying a reverse proxy or firewall rule-set to block direct access to /goform/ endpoints from untrusted network segments. Organizations using these devices in guest or less-trusted network contexts should prioritize firmware updates as a critical control.

Share

CVE-2026-31846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy