Description
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a cross-site request forgery (CSRF) vulnerability in the web-based administrative interface. The interface does not implement anti-CSRF protections, allowing an attacker to induce an authenticated administrator to submit state-changing requests, which can result in unauthorized configuration changes.
Published: 2026-02-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes via CSRF
Action: Patch Firmware
AI Analysis

Impact

The Tenda F3 Wireless Router firmware V12.01.01.55_multi lacks anti‑CSRF protections in its web‑based administrative interface, allowing an attacker to trick an authenticated administrator into submitting state‑changing requests. The resulting unauthorized configuration changes can alter router settings, potentially exposing the network to further attacks or disrupting service. This vulnerability is identified as CWE‑352.

Affected Systems

Shenzhen Tenda Technology’s Tenda F3 wireless router, firmware version 12.01.01.55_multi. No other firmware versions are listed in the advisory but the issue may affect any version lacking the patch that implements CSRF protection.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability carries a moderate risk. The EPSS score is less than 1%, indicating a low likelihood of exploitation in the current market. It is not included in the CISA Known Exploited Vulnerabilities catalog. The attack vector relies on a CSRF scenario against a logged‑in administrator, meaning the attacker must persuade a legitimate admin to visit a crafted page or send them a malicious link. The lack of anti‑CSRF safeguards makes this exploitation straightforward for those who can reach the admin session.

Generated by OpenCVE AI on April 17, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware release provided by Shenzhen Tenda Technology that includes CSRF protection, ensuring that the router’s administrative interface is updated to a version with anti‑CSRF mechanisms.
  • Apply security best practices, such as enabling HTTPS for the management interface and disabling remote management unless absolutely required.
  • Monitor the router for unexpected configuration changes and maintain logs to detect potential CSRF exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f3
Tenda f3 Firmware
CPEs cpe:2.3:h:tenda:f3:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:f3_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f3
Tenda f3 Firmware

Mon, 23 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a cross-site request forgery (CSRF) vulnerability in the web-based administrative interface. The interface does not implement anti-CSRF protections, allowing an attacker to induce an authenticated administrator to submit state-changing requests, which can result in unauthorized configuration changes.
Title Tenda F3 CSRF in Web Management Interface
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tenda F3 F3 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:21.676Z

Reserved: 2026-02-19T19:51:07.328Z

Link: CVE-2026-27513

cve-icon Vulnrichment

Updated: 2026-02-23T18:36:31.971Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T17:23:29.890

Modified: 2026-02-23T20:14:24.857

Link: CVE-2026-27513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses