Skip to main content

U-SPEED N300 router CVE-2026-36959

| EUVDEUVD-2026-26380 HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-04-30 mitre
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 17:46 vuln.today
CVSS changed
Apr 30, 2026 - 16:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 15:00 euvd
EUVD-2026-26380
Analysis Generated
Apr 30, 2026 - 15:00 vuln.today
CVE Published
Apr 30, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized access to the router management interface.

AnalysisAI

Brute-force attacks against U-SPEED N300 router V1.0.0 can compromise administrator credentials due to missing rate limiting on the /api/login endpoint. Local network attackers can execute unlimited authentication attempts without account lockout, enabling credential compromise and unauthorized access to router management. SSVC indicates proof-of-concept exists and the attack is automatable with partial technical impact. CVSS 7.5 reflects network accessibility, but the vulnerability description specifies 'local network' access requirement, suggesting the actual attack vector may be more constrained than the AV:N metric indicates.

Technical ContextAI

This is a CWE-307 (Improper Restriction of Excessive Authentication Attempts) vulnerability in the web management interface of the U-SPEED N300 router firmware V1.0.0. The /api/login REST API endpoint lacks fundamental authentication security controls: no rate limiting throttles request frequency, no account lockout occurs after failed attempts, and no CAPTCHA or similar challenge-response mechanism protects against automated credential stuffing. This implementation flaw is common in embedded device firmware where developers prioritize functionality over security hardening. The CPE string is incomplete (cpe:2.3:a:n/a:n/a), indicating the product is not yet formally catalogued in NVD's product database, which may reflect the vendor's limited security ecosystem maturity.

RemediationAI

No vendor-released patch identified at time of analysis - the vendor website (http://u-speed.com) and researcher disclosure (https://github.com/kirubel-cve/CVE-2026-36959) do not reference a security update or fixed firmware version. Until a patch is available, implement network-layer compensating controls: isolate the router management interface to a dedicated VLAN accessible only from trusted administrator workstations, restricting access via firewall rules that permit only specific source IPs to reach the management interface. This reduces attack surface but requires network segmentation capability and does not protect against attacks from compromised trusted hosts. Alternatively, disable remote management entirely and configure the router only via direct physical console access, though this severely limits operational flexibility. Change default administrator credentials to strong passwords (16+ characters, high entropy) to increase brute-force time requirements from minutes to years, though this is defense-in-depth rather than a true fix given unlimited attempts. Deploy network intrusion detection systems to alert on excessive authentication failures from single source IPs as a detective control. Monitor the vendor website and researcher GitHub repository for patch announcements.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy