Description
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that rely on credential validation, enabling brute-force attacks to guess administrative credentials without restriction.
Published: 2026-03-23
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted brute‑force authentication
Action: Patch immediately
AI Analysis

Impact

The firmware for Nexxt Solutions Nebula 300+ up to version 12.01.01.37 lacks any mechanism to limit the number of authentication attempts or lock accounts after repeated failures, creating a brute‑force vulnerability. An attacker who can reach the device’s credential validation endpoints can try an arbitrary number of username/password combinations, potentially discovering administrative credentials. This weakness is described by CWE‑307, which deals with missing or ineffective authentication rate‑limiting controls. The primary effect is the compromise of account confidentiality and integrity, as attackers may gain full administrative access without detection.

Affected Systems

Known affected vendor is Nexxt Solutions, product Nebula 300+. All firmware releases up to and including version 12.01.01.37 are impacted. No other product or version information is listed. End‑points that use the device’s credential validation services are vulnerable.

Risk and Exploitability

The CVSS score is 7.7, indicating a high risk severity. The EPSS score is below 1 %, suggesting low overall exploitation likelihood in the general threat landscape, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a network‑based attempt against the device’s authentication interfaces, requiring an attacker to reach the device and provide credential inputs. If successful, the attacker can obtain administrative access and control over the entire Nebula 300+ installation.

Generated by OpenCVE AI on March 26, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Nebula 300+ firmware update (version 12.01.01.38 or later).
  • Restrict network access to the device’s authentication interfaces using ACLs or firewall rules to limit potential attackers.
  • Enable multi‑factor authentication on administrative accounts if the firmware supports it.
  • Implement external rate‑limiting or intrusion‑prevention controls to mitigate brute‑force attempts if updates are unavailable.

Generated by OpenCVE AI on March 26, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Nexxtsolutions nebula300plus
Nexxtsolutions nebula300plus Firmware
CPEs cpe:2.3:h:nexxtsolutions:nebula300plus:-:*:*:*:*:*:*:*
cpe:2.3:o:nexxtsolutions:nebula300plus_firmware:*:*:*:*:*:*:*:*
Vendors & Products Nexxtsolutions nebula300plus
Nexxtsolutions nebula300plus Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout on the authentication interface. Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that rely on credential validation, enabling brute-force attacks to guess administrative credentials without restriction.
Title Lack of rate limiting allows brute-force attacks in Nexxt Nebula 300+ Lack of Rate Limiting Enables Brute-Force Attacks in Nexxt Nebula 300+

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Nexxtsolutions
Nexxtsolutions nebula300+
Vendors & Products Nexxtsolutions
Nexxtsolutions nebula300+

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout on the authentication interface.
Title Lack of rate limiting allows brute-force attacks in Nexxt Nebula 300+
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nexxtsolutions Nebula300+ Nebula300plus Nebula300plus Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-03-26T10:47:04.841Z

Reserved: 2026-03-09T18:20:23.399Z

Link: CVE-2026-31851

cve-icon Vulnrichment

Updated: 2026-03-23T15:16:33.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T13:16:30.960

Modified: 2026-04-29T17:37:36.430

Link: CVE-2026-31851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T13:55:16Z

Weaknesses