Description
A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Published: 2026-04-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Improper Access Control
Action: Apply Patch
AI Analysis

Impact

The Tenda 4G03 Pro firmware versions up to 1.0, 1.1, and 04.03.01.53 contain a flaw in the /bin/httpd binary that allows improper access controls to be manipulated. An attacker who can reach the device's web interface can potentially bypass authentication or gain unauthorized administrative capabilities, exposing the router’s configuration and network traffic to compromise.

Affected Systems

This issue affects Tenda routers identified as the 4G03 Pro model running firmware versions 1.0, 1.1, and 04.03.01.53. The device is typically accessed via the default local IP of 192.168.0.1 and is intended to be managed over a LAN or VPN. No other vendor or product variants are explicitly listed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and though EPSS data is missing, the fact that a public exploit is available and the attack can be carried out remotely elevates the real‑world risk. Attackers need only network access to the device’s web interface; no credentials or special knowledge are required beyond a standard web request. The vulnerability is not included in CISA’s KEV catalog, but the public nature of the exploit suggests that it could be widely used once discovered.

Generated by OpenCVE AI on April 5, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Tenda that addresses the httpd access control issue.
  • If an update is unavailable, disable the httpd service or restrict its access to trusted internal networks only.
  • Change default administrative credentials to strong, unique passwords for all accounts.
  • Restrict remote management to a VPN or whitelist specific IP addresses.
  • Monitor device logs for unauthorized access attempts and verify the device’s network activity regularly.

Generated by OpenCVE AI on April 5, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda 4g03 Pro
Vendors & Products Tenda
Tenda 4g03 Pro

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Title Tenda 4G03 Pro httpd access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda 4g03 Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:51:31.134Z

Reserved: 2026-04-04T06:19:57.834Z

Link: CVE-2026-5526

cve-icon Vulnrichment

Updated: 2026-04-06T14:28:23.772Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-04T23:16:44.290

Modified: 2026-04-07T13:20:55.200

Link: CVE-2026-5526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:29Z

Weaknesses