CVE-2026-36959

HighPublic PoC

Published: 30 April 2026

Published

30 April 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 21.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-36959 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in U-Speed N300 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

AC-7 requires limits on consecutive unsuccessful logon attempts and automatic account lockout, directly mitigating the absence of rate limiting or lockout on the /api/login endpoint to prevent brute-force attacks.

SC-5 Denial-of-service Protection good match

prevent

SC-5 mandates denial-of-service protections including rate-based attack prevention, addressing unlimited authentication attempts that enable brute-force exploitation.

AU-12 Audit Record Generation partial match

detect

AU-12 requires generation of audit records for authentication events such as unsuccessful logons, enabling detection of brute-force attacks via patterns of excessive failed attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

Why these techniques?

The lack of rate limiting on the /api/login endpoint directly enables unlimited authentication attempts, facilitating brute-force password guessing against the administrator account (T1110 Brute Force, specifically T1110.001 Password Guessing).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized…

access to the router management interface.

Deeper analysisAI

CVE-2026-36959 is a vulnerability in the U-SPEED N300 router version V1.0.0, where the /api/login endpoint lacks rate limiting or account lockout protections. This deficiency permits unlimited authentication attempts, facilitating brute-force attacks against the administrator account. The issue is categorized under CWE-307: Improper Restriction of Excessive Authentication Attempts and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact potential.

An attacker positioned on the local network can exploit this vulnerability by launching repeated login attempts without restrictions, enabling brute-force guessing of the administrator credentials. Successful exploitation could grant unauthorized access to the router's management interface, potentially allowing configuration changes, data extraction, or further network compromise.

Mitigation guidance and additional details are available in vendor resources at http://u-speed.com and the associated GitHub repository https://github.com/kirubel-cve/CVE-2026-36959.