Description
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings.
Published: 2026-02-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change
Action: Update firmware
AI Analysis

Impact

The Tenda AC7 firmware V03.03.03.01_cn and earlier versions lack CSRF protection for administrative web actions, allowing an attacker to trick a logged‑in administrator into submitting unintended state‑changing requests; this can modify router settings, firewall rules or wireless parameters, thereby compromising the device’s integrity and availability (CWE‑352).

Affected Systems

Shenzhen Tenda Technology Co., Ltd. manufactures the Tenda AC7 wireless router; firmware versions V03.03.03.01_cn and all prior builds are affected.

Risk and Exploitability

The CVSS v3.1 score of 5.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation; the vulnerability is not listed in CISA KEV. An attacker must place a malicious link or form on a page that an authenticated administrator visits, relying on the lack of anti‑CSRF tokens or origin checks to send automated requests that alter router configuration.

Generated by OpenCVE AI on April 18, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a firmware update that includes CSRF protections for administrative actions.
  • If no update is available, restrict access to the router’s web management interface to a trusted local network or a firewall rule.
  • Enforce strong, unique administrator passwords and consider network segmentation to reduce exposure of the management interface.

Generated by OpenCVE AI on April 18, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda ac7 Firmware
CPEs cpe:2.3:h:tenda:ac7:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:ac7_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda ac7 Firmware
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda ac7
Vendors & Products Tenda
Tenda ac7

Tue, 03 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings.
Title Tenda AC7 Web Interface Lacks CSRF Protections for Admin Actions
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tenda Ac7 Ac7 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:35.673Z

Reserved: 2026-01-22T20:23:19.803Z

Link: CVE-2026-24434

cve-icon Vulnrichment

Updated: 2026-02-03T21:29:01.117Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T20:15:58.520

Modified: 2026-02-10T14:11:25.187

Link: CVE-2026-24434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses