CVE-2026-36959
Brute-Force Vulnerability in U-SPEED N300 Router
Publication date: 2026-04-30
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| u-speed | n300_firmware | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36959 is a vulnerability in the U-SPEED N300 router firmware version V1.0.0. The issue is that the /api/login endpoint does not have rate limiting or account lockout protections. This means an attacker on the local network can try to guess the administrator password by making unlimited login attempts without being blocked or slowed down.
Because of this, an attacker can perform brute-force attacks against the administrator account, potentially gaining unauthorized access to the router's management interface.
How can this vulnerability impact me? :
This vulnerability can allow an attacker on the same local network to gain unauthorized administrative access to your U-SPEED N300 router.
With such access, the attacker could take full control over the router's configuration, potentially compromising your network security, intercepting traffic, or disrupting network operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the /api/login endpoint on the U-SPEED N300 router for signs of repeated or unlimited authentication attempts without any rate limiting or account lockout.
You can use network traffic analysis tools such as Wireshark or tcpdump to capture and inspect HTTP POST requests to the /api/login endpoint from devices on your local network.
Additionally, checking the router's logs (if accessible) for multiple failed login attempts without any lockout can help identify brute-force attempts.
- Use tcpdump to capture login attempts: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/login'
- Use curl or similar tools to test login attempts manually and observe if there is any rate limiting or lockout: curl -X POST http://<router-ip>/api/login -d '{"username":"admin","password":"wrongpass"}'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's management interface to trusted devices only, such as by using network segmentation or firewall rules.
Change the default administrator password to a strong, unique password to reduce the risk of brute-force success.
If possible, disable remote management or access to the /api/login endpoint from untrusted networks.
Implement monitoring to detect unusual login attempts and respond accordingly.
Long term remediation involves updating the router firmware to a version that implements rate limiting, account lockout after repeated failed attempts, exponential backoff, or CAPTCHA mechanisms to prevent brute-force attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized administrative access to the router management interface through brute-force attacks, which can lead to unauthorized access to network configurations and potentially sensitive data.
Such unauthorized access could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require adequate security controls to protect sensitive data and prevent unauthorized access.
Specifically, the lack of rate limiting and account lockout mechanisms on the login endpoint undermines security best practices mandated by these regulations, increasing the risk of data breaches and regulatory violations.