Dbit N300 T1 Pro Wireless Router Authentication Rate Limiting Vulnerability

A vulnerability exists in the Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router running firmware version V1.0.0. The router's login API lacks proper rate limiting, enabling remote attackers to perform brute-force or credential-stuffing attacks. This flaw could lead to unauthorized administrative access, allowing attackers to change configurations, modify DNS settings, or upload new firmware.

Impact

Exploitation of this vulnerability could result in unauthorized administrative access to the router, allowing attackers to make configuration changes, alter DNS settings, or upload firmware updates.

Reproduction

The vulnerability can be reproduced by sending automated HTTP POST requests to the '/api/login' endpoint with varying password guesses. The absence of rate limiting can be verified by observing the server's response, which includes a session token even after multiple failed login attempts.