Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized access to the router management interface.
AnalysisAI
Brute-force attacks against U-SPEED N300 router V1.0.0 can compromise administrator credentials due to missing rate limiting on the /api/login endpoint. Local network attackers can execute unlimited authentication attempts without account lockout, enabling credential compromise and unauthorized access to router management. SSVC indicates proof-of-concept exists and the attack is automatable with partial technical impact. CVSS 7.5 reflects network accessibility, but the vulnerability description specifies 'local network' access requirement, suggesting the actual attack vector may be more constrained than the AV:N metric indicates.
Technical ContextAI
This is a CWE-307 (Improper Restriction of Excessive Authentication Attempts) vulnerability in the web management interface of the U-SPEED N300 router firmware V1.0.0. The /api/login REST API endpoint lacks fundamental authentication security controls: no rate limiting throttles request frequency, no account lockout occurs after failed attempts, and no CAPTCHA or similar challenge-response mechanism protects against automated credential stuffing. This implementation flaw is common in embedded device firmware where developers prioritize functionality over security hardening. The CPE string is incomplete (cpe:2.3:a:n/a:n/a), indicating the product is not yet formally catalogued in NVD's product database, which may reflect the vendor's limited security ecosystem maturity.
RemediationAI
No vendor-released patch identified at time of analysis - the vendor website (http://u-speed.com) and researcher disclosure (https://github.com/kirubel-cve/CVE-2026-36959) do not reference a security update or fixed firmware version. Until a patch is available, implement network-layer compensating controls: isolate the router management interface to a dedicated VLAN accessible only from trusted administrator workstations, restricting access via firewall rules that permit only specific source IPs to reach the management interface. This reduces attack surface but requires network segmentation capability and does not protect against attacks from compromised trusted hosts. Alternatively, disable remote management entirely and configure the router only via direct physical console access, though this severely limits operational flexibility. Change default administrator credentials to strong passwords (16+ characters, high entropy) to increase brute-force time requirements from minutes to years, though this is defense-in-depth rather than a true fix given unlimited attempts. Deploy network intrusion detection systems to alert on excessive authentication failures from single source IPs as a detective control. Monitor the vendor website and researcher GitHub repository for patch announcements.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26380