Description
A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Private Key Handler. This manipulation causes use of hard-coded cryptographic key
. It is possible to initiate the attack remotely.
Published: 2026-04-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Use of a hard‑coded ECDSA P‑256 private key exposes the device to spoofing and certificate forgery, compromising authentication of TLS sessions.
Action: Patch
AI Analysis

Impact

The vulnerability resides in Tenda 4G03 Pro firmware versions 1.0, 1.0re, 01.bin, and 04.03.01.53, where the ECDSA P‑256 private key is hard‑coded in /etc/www/pem/server.key. This allows an attacker to obtain the key or replace the key file, enabling the attacker to impersonate the device in TLS connections, forge certificates, and undermine the integrity of encrypted traffic. The impact is primarily on authentication and confidentiality of communications with the device.

Affected Systems

All Tenda 4G03 Pro routers running the affected firmware versions are impacted. The vulnerability is listed by the vendor Tenda and documented for those specific releases.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity weakness. EPSS information is not available and the vulnerability is not in the KEV catalog, suggesting no widespread public exploit yet. Remote exploitation is possible as the flaw is related to the web administration component and the key file can be accessed over the network. An attacker with network reach to the device could read or replace the static key, then use it to forge TLS certificates or gain unauthorized access.

Generated by OpenCVE AI on April 5, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the firmware version on each router and confirm it matches one of the listed affected releases.
  • Download and install the latest firmware from Tenda that removes the hard‑coded ECDSA key.

Generated by OpenCVE AI on April 5, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda 4g03 Pro
Vendors & Products Tenda
Tenda 4g03 Pro

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Private Key Handler. This manipulation causes use of hard-coded cryptographic key . It is possible to initiate the attack remotely.
Title Tenda 4G03 Pro ECDSA P-256 Private Key server.key hard-coded key
Weaknesses CWE-320
CWE-321
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda 4g03 Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T13:25:49.224Z

Reserved: 2026-04-04T06:20:03.869Z

Link: CVE-2026-5527

cve-icon Vulnrichment

Updated: 2026-04-06T13:25:43.313Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-05T00:16:03.120

Modified: 2026-04-07T13:20:55.200

Link: CVE-2026-5527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:28Z

Weaknesses