Plaintext Credential Transmission in Tenda Wireless Routers
CVE-2026-22079

8.7HIGH

Key Information:

Vendor

Tenda

Vendor
CVE Published:
9 January 2026

What is CVE-2026-22079?

A security vulnerability exists in Tenda wireless routers, specifically in the 300Mbps Wireless Router F3 and N300 Easy Setup Router models. This issue arises from the plaintext transmission of login credentials during initial setup or after a factory reset through the web-based administration interface. An attacker on the same local network can exploit this vulnerability by intercepting the network traffic and capturing the unencrypted credentials. If successful, this access could lead to unauthorized control over the device, compromising sensitive information and the security of the entire network.

Affected Version(s)

300Mbps Wireless Router F3 and N300 Easy Setup Router F3 v3.0 Firmware V12.01.01.41

300Mbps Wireless Router F3 and N300 Easy Setup Router F3 v3.0 Firmware V12.01.01.42

300Mbps Wireless Router F3 and N300 Easy Setup Router F3 v3.0 Firmware V12.01.01.48

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This vulnerability is reported by Deven Lunkad, Swaroop Dora, Naziya Aslam, and S. Venkatesan from IoT Security Research Lab, Indian Institute of Information Technology, Allahabad, India.
.