CVE-2026-11493 - Vulnerability Details

- Tenda AC15 Samba smb.conf weak password

Description

A weakness has been identified in Tenda AC15 15.03.05.19. The impacted element is an unknown function of the file /etc_ro/smb.conf of the component Samba. Executing a manipulation can lead to weak password requirements. The attack is only possible within the local network. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks.

Published: 2026-06-08

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A weakness in the Samba configuration file on the Tenda AC15 router allows weak password requirements to be enforced, enabling local users to authenticate with insufficient credentials. The vulnerability is linked to an unknown function in /etc_ro/smb.conf and is classified as CWE‑521, involving weak authentication. Exploitation requires local network access and a high complexity level, but public exploit code is available, indicating that the attack is possible in practice.

Affected Systems

The affected product is the Tenda AC15 router, firmware version 15.03.05.19, as identified by the CNA vendor/product list. The vulnerable component is the Samba service that ships with the firmware, with its configuration located in /etc_ro/smb.conf.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Because exploitation is limited to a local network, the attack vector is likely local. Although the complexity is high and effectiveness is considered difficult, public exploit code has been released, which could be used by an attacker with local network access to bypass password controls and gain unauthorized access to the device or shared resources.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tenda

AC15

affected

Version	Status	Constraints
`15.03.05.19`	affected	—

No data.

Vendor Product Confidence Versions

Tenda

Ac15

100%

Version	Status	Scheme	Platform
`15.03.05.19`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the router’s firmware to the latest version that addresses the Samba password policy issue
Disable or remove the Samba service if it is not required for the network
Modify /etc_ro/smb.conf to enforce strong password requirements, such as a minimum password length, or disable guest access
Implement network segmentation or firewall rules to limit local access to the Samba service

Generated by OpenCVE AI on June 8, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00224.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/cve/CVE-2026-11493
https://vuldb.com/submit/834818
https://vuldb.com/vuln/369113
https://vuldb.com/vuln/369113/cti
https://www.notion.so/Tenda-AC15-V15-03-05-19-3671f5ba98908023b508dc0330624dcd?source=copy_link
https://www.tenda.com.cn/

History

Mon, 08 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda ac15
Vendors & Products		Tenda ac15

Mon, 08 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in Tenda AC15 15.03.05.19. The impacted element is an unknown function of the file /etc_ro/smb.conf of the component Samba. Executing a manipulation can lead to weak password requirements. The attack is only possible within the local network. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks.
Title		Tenda AC15 Samba smb.conf weak password
First Time appeared		Tenda Tenda ac15 Firmware
Weaknesses		CWE-521
CPEs		cpe:2.3:o:tenda:ac15_firmware::::::::
Vendors & Products		Tenda Tenda ac15 Firmware
References		https://vuldb.com/cve/CVE-2026-11493 https://vuldb.com/submit/834818 https://vuldb.com/vuln/369113 https://vuldb.com/vuln/369113/cti https://www.notion.so/Tenda-AC15-V15-03-05-19-3671f5ba98908023b508dc0330624dcd?source=copy_link https://www.tenda.com.cn/
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:A/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5, 'vector': 'CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tenda Ac15 Ac15 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T05:45:09.868Z

Updated: 2026-06-08T13:30:41.606Z

Reserved: 2026-06-07T10:18:43.938Z

Link: CVE-2026-11493

Vulnrichment

Updated: 2026-06-08T13:30:37.168Z

NVD

Status : Deferred

Published: 2026-06-08T07:16:27.030

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11493

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T08:00:14Z

Weaknesses

CWE-521
Weak Password Requirements

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object