Description
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials.

Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
Published: 2026-01-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Patch Immediately
AI Analysis

Impact

The Tenda 300Mbps Wireless Router F3 and N300 Easy Setup Router transmit administrative credentials using reversible Base64 encoding over the web interface. Decoding the captured data allows an attacker to read the username and password, providing direct access to the device's configuration and potentially the network. This flaw leads to compromising confidentiality of credentials and enables unauthorized administrative control of the router.

Affected Systems

Vulnerable models include the Tenda 300Mbps Wireless Router F3 and the N300 Easy Setup Router, which are distributed globally for home and small office use. No specific firmware revision is listed, indicating that all releases of these models are affected unless a later firmware addresses the issue. The vulnerability applies regardless of the wireless standards used, affecting devices that rely on the web‑based admin portal.

Risk and Exploitability

The flaw carries a CVSS v3.1 score of 8.7, classifying it as high severity. Exploit likelihood is low based on an EPSS score below 1%; however, devices are typically local to a network segment, making the attack vector local and the attacker capable of sniffing traffic with relative ease. The vulnerability is not yet represented in the CISA KEV catalog, but the available analysis indicates that an active Windows or Linux machine on the same network can capture the Base64 stream, decode it and immediately log into the router’s administrative console.

Generated by OpenCVE AI on April 18, 2026 at 07:24 UTC.

Remediation

Vendor Solution

Apply appropriate updates as mentioned by the vendor: https://www.tendacn.com/in/material/show/724624313163845

OpenCVE Recommended Actions

  • Apply the vendor's firmware patch from the documented URL
  • Configure the router to use HTTPS for the administrative interface or disable the web‑based console if not needed
  • Change the default administrator password to a strong, unique value and enable WPA2 or WPA3 encryption on the wireless network to reduce the risk of packet capture

Generated by OpenCVE AI on April 18, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f3
Tenda n300
Vendors & Products Tenda
Tenda f3
Tenda n300

Fri, 09 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Title Insecure Transmission Vulnerability in Tenda wireless routers Insecure Transmission Vulnerability in Tenda Wireless Routers

Fri, 09 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
Title Insecure Transmission Vulnerability in Tenda wireless routers
Weaknesses CWE-319
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tenda F3 N300
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-01-09T15:12:48.077Z

Reserved: 2026-01-06T07:52:50.901Z

Link: CVE-2026-22080

cve-icon Vulnrichment

Updated: 2026-01-09T15:12:43.670Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T11:15:51.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses