CVE-2026-27521
Published: 24 February 2026
Summary
CVE-2026-27521 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Binardat 10G08-0800Gsm Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.
Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing rate limiting/lockout directly enables online password guessing (T1110.001) against the exposed management interface to obtain valid credentials.
NVD Description
Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior do not implement rate limiting or account lockout on failed login attempts, enabling brute-force attacks against user credentials.
Deeper analysisAI
CVE-2026-27521 is a vulnerability in the Binardat 10G08-0800GSM network switch firmware, specifically version V300SP10260209 and prior. The issue arises from the lack of rate limiting or account lockout on failed login attempts, enabling brute-force attacks against user credentials. Published on 2026-02-24, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-307: Improper Restriction of Excessive Authentication Attempts.
Attackers with network access to the switch can exploit this remotely without privileges or user interaction. By conducting repeated authentication attempts, they can brute-force credentials to gain unauthorized access to the management interface, resulting in high confidentiality impact through exposure of sensitive device data.
Advisories and vendor resources provide further details on the issue. The VulnCheck advisory at https://www.vulncheck.com/advisories/binardat-10g08-0800gsm-network-switch-missing-login-rate-limiting outlines the vulnerability, while the product page at https://www.binardat.com/products/8-port-10-gigabit-sfp-managed-switch,-support-1g-sfp-and-10g-sfp-module,-160gbps-bandwidth,-l3-web-managed,-metal-fanless-fiber-binardat-network-switch describes the affected hardware.
Details
- CWE(s)