Cyber Resilience

CVE-2026-41037

High

Published: 21 April 2026

Published
21 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 9.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41037 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Qntmnet Qn-I-470 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against…

more

administrative credentials, leading to unauthorized access with root privileges on the targeted device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Missing rate limiting directly enables password guessing via brute force against the web management interface to obtain valid admin credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

qntmnet
qn-i-470 firmware
6.1.1.b1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References