Cyber Resilience

CVE-2026-36959

HighPublic PoC

Published: 30 April 2026

Published
30 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0010 27.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-36959 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in U-Speed N300 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-36959 is a vulnerability in the U-SPEED N300 router version V1.0.0, where the /api/login endpoint lacks rate limiting or account lockout protections. This deficiency permits unlimited authentication attempts, facilitating brute-force attacks against the administrator account. The issue is categorized under CWE-307: Improper Restriction of Excessive Authentication Attempts and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact potential.

An attacker positioned on the local network can exploit this vulnerability by launching repeated login attempts without restrictions, enabling brute-force guessing of the administrator credentials. Successful exploitation could grant unauthorized access to the router's management interface, potentially allowing configuration changes, data extraction, or further network compromise.

Mitigation guidance and additional details are available in vendor resources at http://u-speed.com and the associated GitHub repository https://github.com/kirubel-cve/CVE-2026-36959.

EU & UK References

Vulnerability details

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized…

more

access to the router management interface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The lack of rate limiting on the /api/login endpoint directly enables unlimited authentication attempts, facilitating brute-force password guessing against the administrator account (T1110 Brute Force, specifically T1110.001 Password Guessing).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-36958Same product: U-Speed N300
CVE-2025-25595Shared CWE-307
CVE-2026-32295Shared CWE-307
CVE-2024-51476Shared CWE-307
CVE-2025-64310Shared CWE-307
CVE-2023-54347Shared CWE-307
CVE-2026-43914Shared CWE-307
CVE-2026-22616Shared CWE-307
CVE-2025-12995Shared CWE-307
CVE-2025-14362Shared CWE-307

Affected Assets

u-speed
n300 firmware
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-7 requires limits on consecutive unsuccessful logon attempts and automatic account lockout, directly mitigating the absence of rate limiting or lockout on the /api/login endpoint to prevent brute-force attacks.

prevent

SC-5 mandates denial-of-service protections including rate-based attack prevention, addressing unlimited authentication attempts that enable brute-force exploitation.

detect

AU-12 requires generation of audit records for authentication events such as unsuccessful logons, enabling detection of brute-force attacks via patterns of excessive failed attempts.

References