Skip to main content

Brute Force EUVDEUVD-2026-24083

| CVE-2026-41038 HIGH
Weak Password Requirements (CWE-521)
2026-04-21 CERT-In GHSA-mqx2-c63m-7p93
7.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 13:33 vuln.today
CVSS changed
Apr 21, 2026 - 11:22 NVD
7.6 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 11:00 euvd
EUVD-2026-24083
Analysis Generated
Apr 21, 2026 - 11:00 vuln.today
CVE Published
Apr 21, 2026 - 10:22 nvd
HIGH 7.6

DescriptionCVE.org

This vulnerability exists in Quantum Networks router due to lack of enforcement of strong password policies in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing password guessing or brute-force attacks against user accounts, leading to unauthorized access to the targeted device.

AnalysisAI

Weak password policy enforcement in Quantum Networks router QN-I-470 version 6.1.1.B1 enables adjacent network attackers to gain unauthorized administrative access through password brute-force attacks. CVSS 7.6 reflects adjacent network requirement (AV:A) and high complexity (AC:H), limiting exploitation to attackers already on the local network segment. No active exploitation confirmed (not in CISA KEV), but authentication bypass via brute-force is a well-understood attack primitive requiring only network proximity and time.

Technical ContextAI

The vulnerability stems from CWE-521 (Weak Password Requirements), where the router's web-based management interface fails to enforce strong password policies such as minimum complexity requirements, account lockout mechanisms, or rate limiting on authentication attempts. The affected product is Quantum Networks router model QN-I-470 version 6.1.1.B1 (CPE: cpe:2.3:a:quantum_networks:router_qn-i-470:*:*:*:*:*:*:*:*). The CVSS 4.0 vector indicates Adjacent Network attack vector (AV:A), meaning the attacker must be on the same network segment as the device, and High attack complexity (AC:H), suggesting specific timing, conditions, or reconnaissance may be required beyond simple credential stuffing. The lack of password policy enforcement at the application layer allows unlimited authentication attempts without detection or throttling, converting what should be a computationally infeasible brute-force attack into a practical exploitation path given sufficient time and resources.

RemediationAI

Apply vendor-supplied firmware update addressing CIVN-2026-0200 if available from Quantum Networks; consult CERT-In advisory at https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0200 for specific patch version. No patched firmware version independently confirmed from available data at time of analysis. If patching is delayed, implement compensating controls with understanding of their operational trade-offs: (1) Enforce network segmentation to isolate router management interfaces to dedicated administrative VLANs accessible only from hardened jump hosts, reducing adjacent network attack surface but requiring VLAN reconfiguration and potential management workflow changes. (2) Deploy rate-limiting or Web Application Firewall rules to throttle authentication attempts to the web management interface (e.g., maximum 3 failed attempts per source IP per 5 minutes), though this may impact legitimate administrative access during credential issues. (3) Disable web-based management interface entirely and restrict device administration to console access or SSH with public-key authentication only, eliminating the vulnerable attack surface but increasing administrative overhead for remote management scenarios. (4) Implement continuous monitoring of authentication logs for brute-force patterns (multiple failed login attempts from single source IPs) with automated alerting, which detects but does not prevent exploitation.

CVE-2012-2441 HIGH POC
8.5 Apr 28

RuggedCom Rugged Operating System (ROS) before 3.3 has a factory account with a password derived from the MAC Address fi

CVE-2024-42850 CRITICAL POC
9.8 Aug 16

An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity

CVE-2025-28200 CRITICAL POC
9.8 May 09

Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits o

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-63747 CRITICAL POC
9.8 Nov 17

QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immedia

CVE-2023-37756 CRITICAL POC
9.8 Sep 14

I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creatio

CVE-2023-2160 CRITICAL POC
9.8 Apr 18

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0. Rated critical severity (CVSS 9.8), this

CVE-2023-2106 CRITICAL POC
9.8 Apr 15

Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20. Rated critical severity (CVSS 9.8)

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-44236 CRITICAL POC
9.8 Dec 15

Beijing Zed-3 Technologies Co.,Ltd VoIP simpliclty ASG 8.5.0.17807 (20181130-16:12) has a Weak password vulnerability. R

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2022-3268 CRITICAL POC
9.8 Sep 22

Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2. Rated critical severity (CVSS 9.8), this

Share

EUVD-2026-24083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy