CVE-2026-31851 PUBLISHED

Lack of rate limiting allows brute-force attacks in Nexxt Nebula 300+

Assigner: TuranSec
Reserved: 09.03.2026 Published: 23.03.2026 Updated: 23.03.2026

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout on the authentication interface.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.7

Product Status

Vendor Nexxt Solutions
Product Nebula 300+
Versions Default: unaffected
  • Version <= 12.01.01.37 is affected

Credits

  • Angel Barre (call4pwn) finder

References

Problem Types

  • CWE-307 Improper Restriction of Excessive Authentication Attempts CWE

Impacts

  • An attacker can perform unlimited authentication attempts, enabling brute-force attacks against administrative credentials.