| Title | Mercusys Router MW301R 1.0.2 Build 190726 Rel.59423n (4252) 7PK Security Features / Brute Force via IP Cycling |
|---|
| Description | Hello team!
The Mercusys MW301R router implements a basic brute-force protection mechanism that blocks login attempts after a number of failed tries. However, this blocking mechanism is based solely on the source IP address, without enforcing any session fingerprinting, token validation, or advanced rate-limiting / and MAC Address, etc.
An attacker connected to the LAN can simply change their local IP address (e.g., from 192.168.1.10 to 192.168.1.11) after reaching the limit, effectively resetting the login attempt counter.
This allows a brute-force attack to be performed against the admin login page, completely defeating the intended security mechanism. |
|---|
| Source | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README21.md |
|---|
| User | RaulPACXXX (UID 84502) |
|---|
| Submission | 07/08/2025 14:00 (12 months ago) |
|---|
| Moderation | 07/19/2025 09:44 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 316997 [Mercusys MW301R 1.0.2 Build 190726 Rel.59423n Login excessive authentication] |
|---|
| Points | 20 |
|---|