Description
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext.

Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
Published: 2026-01-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information exposure and unauthorized device access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the transmission of login credentials in cleartext during the initial configuration of Tenda 300Mbps Wireless Router F3 and N300 Easy Setup Router. This allows an attacker on the same local network to capture administrator usernames and passwords, resulting in potential unauthorized access to the device and exposure of sensitive information. The weakness is a cleartext transmission flaw, classified as CWE‑319.

Affected Systems

Affected models include Tenda’s 300 Mbps Wireless Router F3 and N300 Easy Setup Router. No additional version details are provided, so all firmware versions shipping these devices may be vulnerable until patched.

Risk and Exploitability

The CVSS score of 8.7 places the issue in the high severity category, yet the EPSS score is below 1 %, indicating a low probability of exploitation at present. The vendor has not listed this flaw in CISA’s KEV catalog, suggesting limited known exploitation. The likely attack vector is local network traffic interception, meaning only attackers physically present or having network access to the router’s LAN can leverage the flaw, and they must capture unencrypted HTTP traffic during setup.

Generated by OpenCVE AI on April 18, 2026 at 07:24 UTC.

Remediation

Vendor Solution

Apply appropriate updates as mentioned by the vendor: https://www.tendacn.com/in/material/show/724624313163845

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Tenda as per the vendor’s instructions.
  • After updating, ensure the router’s administrative interface uses HTTPS or disable remote HTTP access.
  • Change the default administrator credentials to strong, unique passwords.

Generated by OpenCVE AI on April 18, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f3
Tenda n300
Vendors & Products Tenda
Tenda f3
Tenda n300

Fri, 09 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Title Cleartext Transmission Vulnerability in Tenda wireless routers Cleartext Transmission Vulnerability in Tenda Wireless Routers

Fri, 09 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
Title Cleartext Transmission Vulnerability in Tenda wireless routers
Weaknesses CWE-319
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tenda F3 N300
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-01-09T15:15:27.815Z

Reserved: 2026-01-06T07:52:50.901Z

Link: CVE-2026-22079

cve-icon Vulnrichment

Updated: 2026-01-09T15:15:23.369Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T11:15:50.617

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses