The vulnerability arises from the fact that session cookies used by the web‐based administrative interface of the Tenda 300Mbps Wireless Router F3 and the N300 Easy Setup Router are not set with the HTTPOnly flag. Without this flag, the cookies can be read by client–side scripts or observed on the network if transmitted over plain HTTP, allowing a remote attacker to capture a valid session token. The attacker may then use the cookie to impersonate an authenticated administrator, gain privileged control over the device, and potentially read sensitive configuration data. This weakness is classified as CWE‑1004 – “Cookie Not Secure or HTTPOnly”.

The affected products are the Tenda 300Mbps Wireless Router F3 and the N300 Easy Setup Router. No specific firmware version range is listed in the advisory, so all current models should be considered at risk until the vendor’s update is applied.

The CVSS score of 8.8 indicates a high impact vulnerability, while the very low EPSS score (<1%) suggests that widespread exploitation is currently unlikely. The advisory does not list this vulnerability in the CISA KEV catalog, which means it has not yet been observed in the wild. The attack surface is remote; an attacker only needs network access to the router’s web interface over HTTP, which is typically exposed on local or broader networks. Successful exploitation would grant the attacker administrator privileges, enabling configuration theft, persistence, or further lateral movement within the network.