CVE-2026-31851

CRITICAL

Lack of rate limiting allows brute-force attacks in Nexxt Nebula 300+

Title source: cna

Description

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that rely on credential validation, enabling brute-force attacks to guess administrative credentials without restriction.

References (2)

https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/

https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip

Scores

CVSS v3 9.8

EPSS 0.0009

EPSS Percentile 25.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-307

Status published

Products (2)

Nexxt Solutions/Nebula 300+ <= 12.01.01.37

nexxtsolutions/nebula300plus_firmware < 12.01.01.37

Published Mar 23, 2026

Tracked Since Mar 23, 2026