Description
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a clickjacking vulnerability in the web-based administrative interface. The interface does not set the X-Frame-Options header, allowing attacker-controlled sites to embed administrative pages in an iframe and trick an authenticated administrator into unintended interactions that may result in unauthorized configuration changes.
Published: 2026-02-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes via clickjacking.
Action: Apply Fix
AI Analysis

Impact

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a clickjacking vulnerability in its web‑based management interface. The interface fails to set the X‑Frame‑Options response header, allowing a malicious website to embed the router’s administrative pages inside an iframe. An authenticated administrator who visits the malicious site could be tricked into clicking on interface controls, potentially resulting in unauthorized configuration changes.

Affected Systems

Shenzhen Tenda Technology Co., Ltd. offers the Tenda F3 wireless router. The vulnerability applies to the F3 firmware version V12.01.01.55_multi; no other versions are explicitly mentioned.

Risk and Exploitability

CVSS explains a medium severity of 5.1. The EPSS score is below 1 %, indicating a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote: an attacker only needs to host a webpage that embeds the router’s administrative interface; the attack requires the victim to be authenticated to the router, so it is limited to administrators who already have access credentials. If the router’s interface is exposed externally or if route management is accessible without network isolation, the risk increases.

Generated by OpenCVE AI on April 16, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest firmware from the official Tenda website that includes an X‑Frame‑Options header.
  • Configure the router to restrict administrative access to the local network or a secure VPN, and block the web interface from the Internet with firewall rules.
  • Monitor router logs for unexpected configuration changes and periodically verify that the administrative interface does not appear in embedded frames.

Generated by OpenCVE AI on April 16, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f3
Tenda f3 Firmware
CPEs cpe:2.3:h:tenda:f3:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:f3_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f3
Tenda f3 Firmware

Mon, 23 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a clickjacking vulnerability in the web-based administrative interface. The interface does not set the X-Frame-Options header, allowing attacker-controlled sites to embed administrative pages in an iframe and trick an authenticated administrator into unintended interactions that may result in unauthorized configuration changes.
Title Tenda F3 Clickjacking in Web Management Interface
Weaknesses CWE-1021
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tenda F3 F3 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:20.021Z

Reserved: 2026-02-19T19:51:07.328Z

Link: CVE-2026-27511

cve-icon Vulnrichment

Updated: 2026-02-23T18:39:01.840Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T17:23:29.473

Modified: 2026-02-23T20:16:49.310

Link: CVE-2026-27511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:45:25Z

Weaknesses