Skip to main content

Nebula 300 CVE-2026-31851

| EUVDEUVD-2026-14421 HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-03-23 TuranSec GHSA-v8rr-whp7-p37j
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 29, 2026 - 17:52 vuln.today
cvss_changed
EUVD ID Assigned
Mar 23, 2026 - 12:45 euvd
EUVD-2026-14421
Analysis Generated
Mar 23, 2026 - 12:45 vuln.today
CVE Published
Mar 23, 2026 - 12:21 nvd
HIGH 7.7

DescriptionCVE.org

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout on the authentication interface.

AnalysisAI

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 lacks rate limiting and account lockout mechanisms on its authentication interface, enabling attackers to conduct brute-force attacks against user credentials without operational resistance. This vulnerability affects the Nebula 300+ device family as confirmed through CPE matching. An attacker with network access to the authentication interface can enumerate valid accounts and attempt unlimited password guesses, potentially compromising administrative or user-level access to the device.

Technical ContextAI

The Nexxt Solutions Nebula 300+ is a network connectivity appliance that exposes an authentication interface for administrative management. The vulnerability root cause is classified under CWE-307 (Improper Restriction of Rendered UI Layers or Frames) and more specifically represents a failure to implement fundamental account protection mechanisms—rate limiting (request throttling) and account lockout (temporary or permanent deactivation after failed attempts). These controls are standard defensive measures in modern authentication systems, typically implemented at the application or firmware level to mitigate credential brute-force attacks. The absence of both mechanisms in firmware versions up to 12.01.01.37 creates a direct pathway for automated credential enumeration. The CPE identifier cpe:2.3:a:nexxt_solutions:nebula_300+:*:*:*:*:*:*:*:* confirms all versions of the Nebula 300+ product line are potentially affected until a patched firmware release is deployed.

RemediationAI

Organizations using Nexxt Solutions Nebula 300+ devices must prioritize upgrading to a patched firmware version beyond 12.01.01.37 that implements rate limiting and account lockout mechanisms. Check the Nexxt Solutions product support portal (https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/) for the latest available firmware release and deployment instructions. As an interim mitigation, restrict network access to the Nebula 300+ authentication interface using firewall rules to allow connections only from trusted administrative networks or management subnets; implement VPN or jump-host requirements for remote management access; and monitor authentication logs for evidence of brute-force attempts (repeated failed login events from single sources). Additionally, enforce strong, unique administrative credentials and consider implementing external authentication mechanisms (RADIUS, LDAP) if the device supports them, which may provide additional rate-limiting at the authentication server level.

Share

CVE-2026-31851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy