CVE-2026-41037 · This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the we

01 · The Real Story

This is a locked door with no night guard, not a door with no lock

CVE-2026-41037 is a missing brute-force defense issue in the Quantum Networks QN-I-470 web management interface. NVD ties the affected software to qntmnet:qn-i-470_firmware:6.1.1.b1, and the public advisory for the product family describes the vulnerable condition as unlimited failed-login attempts without rate limiting or CAPTCHA on the web UI. On paper that can end in root-level administrative control, but only after the attacker can reach the management page from the same network and only if valid admin credentials are guessable, reused, default, or weak.

The vendor HIGH rating overstates enterprise reality. This is not unauthenticated remote code execution; it is an *adjacent-network credential-guessing opportunity* whose success is dominated by deployment hygiene: whether the management UI is reachable from user/Wi-Fi segments, whether strong unique admin passwords are in place, and whether operations actually watch for repeated failures. In a flat SMB network this can bite hard; in a segmented enterprise it is usually a post-initial-access or rogue-client problem, so it lands in MEDIUM.

"This is a router takeover only if the attacker is already adjacent and your admin password is guessable."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get adjacent network position with Wi-Fi/LAN access

The attacker first needs layer-2 or same-segment reachability to the QN-I-470 management interface. In practice that means a rogue wireless client, a compromised endpoint already on the office network, or physical access to a switchport. Commodity tooling here is just normal network access or wireless association tooling such as wpa_supplicant/aircrack-ng-adjacent workflows; the CVE itself does not provide initial access.

Conditions required:

Attacker is on the same wired or wireless network as the device
The device is operating in a mode where its web management interface is locally reachable

Where this breaks in practice:

WPA2-Enterprise/802.1X, NAC, guest isolation, and port security can block adjacency
If the AP is controller-managed or placed on a dedicated management VLAN, ordinary users never reach the login page

Detection/coverage: Wireless IDS, NAC, switch auth logs, and DHCP inventory can often detect the prerequisite rogue-client or post-compromise presence, but vulnerability scanners alone will not prove exploitability.

STEP 02

Reach the web admin surface with curl, Burp, or a browser

Once adjacent, the attacker must find the management IP and confirm the login endpoint is exposed. This is simple with curl, Burp Suite, or any browser, but it still depends on the admin UI being reachable from that segment. The CVSS vector says AV:A, and that matters: this is not a broad internet-scale spray opportunity by default.

Conditions required:

Management HTTP/HTTPS is enabled
Routing, ACLs, or local firewalling permit access from the attacker's segment

Where this breaks in practice:

Many enterprises restrict device administration to jump hosts, controllers, or specific admin subnets
Some deployments disable local web administration entirely in favor of central management

Detection/coverage: Config auditing and authenticated discovery can usually identify whether the management interface is enabled; unauthenticated scanners may only see an HTTPS listener and miss actual reachability policy.

STEP 03

Brute-force admin credentials with Hydra or Patator

This is the weaponized step the flaw enables. Tools like Hydra, Patator, or a short custom Python script can send repeated failed logins because the interface lacks throttling and CAPTCHA. But the missing control only helps if there is something to guess: weak, reused, shared, or default admin credentials.

Conditions required:

No effective rate limiting, lockout, or anti-automation challenge is enforced
An admin account exists with a guessable or reused password

Where this breaks in practice:

Strong unique passwords or centralized secrets management make brute force impractical
SOC monitoring on repeated auth failures can surface the attack before success
If the organization rotated away from factory defaults at deployment, the attacker loses the easiest path

Detection/coverage: Good coverage is possible through login-failure bursts, web access logs, WAF/reverse-proxy logs if used, and SIEM correlation on repeated failures from one source.

STEP 04

Abuse recovered admin access for device takeover and pivoting

If credentials are guessed, the attacker gains administrative control and can change routing, DNS, SSIDs, ACLs, or packet-capture settings, and may use the device as a pivot or monitoring point. That is serious impact, but it is impact *after* two practical gates: adjacency and credential weakness. In controller-heavy environments, local config drift may also be overwritten or noticed more quickly.

Conditions required:

Successful recovery of valid administrator credentials
The account has full administrative privileges

Where this breaks in practice:

Blast radius is often limited to the device or site unless the same credentials are reused fleet-wide
Change monitoring, controller sync, and syslog can expose post-login tampering

Detection/coverage: Monitor configuration changes, new admin sessions, DNS/NAT modifications, SSID changes, and unusual outbound connections from the device.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence surfaced in the reviewed sources, and it is not listed in CISA KEV as of the catalog page reviewed.
Proof-of-concept availability	No public exploit repo or write-up for this exact CVE surfaced in open-web review. Secondary tracking pages for the CVE did not show a public PoC, which aligns with the very low EPSS.
EPSS	`0.00036` from your intel, which is extremely low; a secondary tracker also places it around the 8th percentile. That is a strong downward signal on expected near-term attacker interest.
KEV status	Not KEV-listed. No CISA due date exists because the CVE does not appear in the Known Exploited Vulnerabilities catalog.
CVSS vector reality check	`CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` looks scary because impact is maxed out, but `AV:A` means the attacker must already be on the same network. That sharply shrinks the exposed population versus true internet-reachable bugs.
Affected versions	NVD's analyzed CPE ties the issue to Quantum Networks QN-I-470 firmware `6.1.1.B1` on the hardware platform `qntmnet:qn-i-470`.
Fixed version clarity	Quantum's firmware portal publicly lists newer firmware such as `6.1.1.B1.2` and `7.0.1.B1`, but I found no authoritative vendor note explicitly mapping this CVE to a fixed build. Treat upgrade guidance as vendor-confirmation-required.
Exposure population	This product is marketed as an indoor Wi-Fi 6 enterprise access point with cloud or on-prem management options. That suggests many deployments will keep management on restricted admin paths rather than expose the UI broadly; this is an inference from the product architecture, not a direct vendor security claim.
Disclosure timeline	Disclosed 2026-04-21. NVD shows a notable change history: the record was initially published with a different description/CWE and then corrected the same day to the brute-force issue, so make sure your internal data source ingested the final CVE text.
Reporter / source	The CNA/source is CERT-In. A public mirror of advisory `CIVN-2026-0200` attributes the Quantum Networks findings to Rakesh Elamaran, Joel William A, Bajino Viju, Stalin S, Janish Andrin J, and Kalpana B N.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.6/10)

The decisive downgrade factor is that exploitation requires adjacent network access plus a guessable admin credential; that is a compounded prerequisite chain, not a broad pre-auth remote compromise. The bug matters because a successful guess ends in full device control, but most mature enterprises cut the reachable population sharply with management-plane segmentation and password hygiene.

HIGH Affected product/version and CNA/NVD metadata

MEDIUM Real-world exploitability in segmented enterprise deployments

LOW Exact vendor fixed version, because no authoritative fix mapping was found in reviewed public sources

Why this verdict

Down from 8.8 because AV:A is real friction: the attacker must already be on the same LAN/WLAN segment, which usually implies rogue-client access or prior compromise rather than internet-scale reachability.
Down again because the CVE only removes throttling, not authentication itself: the attacker still needs a weak, reused, shared, or default admin password. Strong unique credentials collapse the practical exploit path.
Down again because management-plane exposure is not universal: on enterprise AP estates, local admin pages are often isolated to management VLANs, controllers, jump hosts, or disabled in favor of centralized administration.
Kept at MEDIUM because success is still ugly: if the two gates above are met, the attacker gets administrative control of a network device with the ability to reroute, sniff, disrupt, or pivot.

Why not higher?

There is no KEV listing, no public exploitation evidence in the reviewed sources, and the EPSS is extremely low. More importantly, the attack path stacks practical prerequisites: same-network position, reachable admin UI, and guessable credentials. That is too much friction for HIGH in an enterprise patch queue.

Why not lower?

This is not harmless hygiene. If you run flat networks, shared infrastructure passwords, or locally reachable device management from user/Wi-Fi segments, the exploit path becomes very real. A successful hit lands on a network-control point, so the impact is too operationally meaningful to push into LOW.

05 · Compensating Control

What to do — in priority order.

Restrict management-plane reachability — Allow the web UI only from dedicated admin jump hosts, controller networks, or a management VLAN. For a MEDIUM verdict there is no mitigation SLA, but this is worth doing now because it removes the largest amplifier in the attack chain: reachable login surface.
Rotate and randomize local admin credentials — Set long unique per-device or per-site admin passwords and eliminate shared defaults. There is no mitigation SLA for MEDIUM; treat this as immediate hardening while you work toward the remediation window.
Disable local web admin where operationally possible — If central management is available, turn off direct local administration on QN-I-470 devices. That removes the brute-force target entirely and is especially valuable for guest Wi-Fi or branch environments.
Alert on repeated login failures to network appliances — Create detections for bursts of failed authentications, especially from wireless user ranges, guest networks, and unmanaged endpoints. There is no mitigation SLA here, but this materially reduces dwell time if someone starts password spraying device interfaces.
Prefer upgrade over configuration hope — Move affected firmware off the vulnerable build after confirming the vendor-fixed image. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but do not leave version validation ambiguous.

What doesn't work

Changing the admin UI to a non-standard port does not fix missing rate limiting; Hydra and Burp do not care what TCP port you picked.
Password complexity policy on paper does not help if devices still retain shared, legacy, or deployment-default local admin credentials.
Perimeter WAF assumptions usually do not help because the attack path is commonly inside the LAN/WLAN against a local management interface, not through your internet edge.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation on the same network segment that can already reach the QN-I-470 management UI, not on the device itself. Invoke it as ./verify_cve_2026_41037.sh https://192.0.2.10 /login username password using a known-invalid password string; no admin privileges are needed on the workstation, but you need network access to the login endpoint and you may need to adjust the field names/path if your firmware uses a different form.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# verify_cve_2026_41037.sh
# Check for likely absence of rate limiting / CAPTCHA on a Quantum Networks QN-I-470 web login.
# Usage: ./verify_cve_2026_41037.sh <base_url> <login_path> <user_field> <pass_field>
# Example: ./verify_cve_2026_41037.sh https://192.0.2.10 /login username password
# Exit codes: 0=PATCHED 1=VULNERABLE 2=UNKNOWN 3=USAGE

set -u

if [ "$#" -ne 4 ]; then
  echo "UNKNOWN - usage: $0 <base_url> <login_path> <user_field> <pass_field>"
  exit 3
fi

BASE_URL="$1"
LOGIN_PATH="$2"
USER_FIELD="$3"
PASS_FIELD="$4"
URL="${BASE_URL%/}${LOGIN_PATH}"
TEST_USER="noisgate_probe_user"
TEST_PASS="Noisgate-Definitely-Wrong-Password-$(date +%s)"
ATTEMPTS=5
TMPDIR="$(mktemp -d)"
trap 'rm -rf "$TMPDIR"' EXIT

command -v curl >/dev/null 2>&1 || { echo "UNKNOWN - curl not found"; exit 2; }
command -v awk >/dev/null 2>&1 || { echo "UNKNOWN - awk not found"; exit 2; }

# Fetch login page first to look for obvious CAPTCHA markers.
HTML_FILE="$TMPDIR/login.html"
HTTP_CODE=$(curl -k -sS -L -o "$HTML_FILE" -w '%{http_code}' "$URL" 2>/dev/null)
if [ -z "$HTTP_CODE" ] || [ "$HTTP_CODE" = "000" ]; then
  echo "UNKNOWN - could not reach $URL"
  exit 2
fi

if grep -Eiq 'captcha|recaptcha|hcaptcha|cf-turnstile|turnstile' "$HTML_FILE"; then
  echo "PATCHED - login page exposes CAPTCHA challenge markers"
  exit 0
fi

RATE_LIMIT_HIT=0
TOTAL_TIME=0
RESP_CODES=""
BODY_MARKERS=0

for i in $(seq 1 "$ATTEMPTS"); do
  BODY_FILE="$TMPDIR/body_$i.txt"
  HDR_FILE="$TMPDIR/hdr_$i.txt"
  METRICS=$(curl -k -sS -D "$HDR_FILE" -o "$BODY_FILE" \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    --data "${USER_FIELD}=${TEST_USER}&${PASS_FIELD}=${TEST_PASS}" \
    -w '%{http_code} %{time_total}' \
    "$URL" 2>/dev/null)

  CODE=$(echo "$METRICS" | awk '{print $1}')
  TIME=$(echo "$METRICS" | awk '{print $2}')
  RESP_CODES="$RESP_CODES $CODE"
  TOTAL_TIME=$(awk -v a="$TOTAL_TIME" -v b="$TIME" 'BEGIN { printf "%.6f", a + b }')

  if grep -Eiq '429 Too Many Requests|rate limit|too many attempts|temporarily blocked|account locked|try again later' "$HDR_FILE" "$BODY_FILE"; then
    RATE_LIMIT_HIT=1
  fi

  if grep -Eiq 'invalid|incorrect|failed|unauthorized|login' "$BODY_FILE"; then
    BODY_MARKERS=$((BODY_MARKERS + 1))
  fi

done

AVG_TIME=$(awk -v total="$TOTAL_TIME" -v n="$ATTEMPTS" 'BEGIN { if (n == 0) print 0; else printf "%.3f", total / n }')

# Simple heuristic:
# - If we saw explicit throttling/lockout/rate-limit language, call PATCHED.
# - If all attempts returned quickly, with no CAPTCHA and no lockout indicators, call VULNERABLE.
# - Otherwise UNKNOWN.
if [ "$RATE_LIMIT_HIT" -eq 1 ]; then
  echo "PATCHED - observed throttling/lockout indicators (codes:$RESP_CODES avg_time:${AVG_TIME}s)"
  exit 0
fi

FAST_RESPONSE=$(awk -v avg="$AVG_TIME" 'BEGIN { if (avg < 1.5) print 1; else print 0 }')
if [ "$FAST_RESPONSE" -eq 1 ] && [ "$BODY_MARKERS" -ge 3 ]; then
  echo "VULNERABLE - repeated failed logins completed without visible CAPTCHA or throttling (codes:$RESP_CODES avg_time:${AVG_TIME}s)"
  exit 1
fi

echo "UNKNOWN - endpoint reachable but result was inconclusive (codes:$RESP_CODES avg_time:${AVG_TIME}s)"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like emergency internet-facing RCE. First, inventory every QN-I-470 still on 6.1.1.B1, confirm whether its local web admin is reachable from user or Wi-Fi segments, and rotate any shared/default admin credentials immediately; for a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window. Then get vendor-confirmed fixed firmware into your normal change program and complete upgrades within the noisgate remediation SLA of ≤365 days; if you discover flat-network exposure plus weak/shared local admin passwords, escalate those specific sites ahead of the general queue because your real risk is deployment-driven, not CVSS-driven.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.