Talos Vulnerability Report

TALOS-2025-2162

Tenda AC6 V5.0 web portal authentication unencrypted transmission of credentials vulnerability

August 20, 2025

CVE Number

CVE-2025-27564

SUMMARY

A unencrypted transmission of credentials vulnerability exists in the web portal authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted network packet can lead to arbitrary authentication. An attacker can sniff network traffic to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Tenda AC6 V5.0 V02.03.01.110

PRODUCT URLS

AC6 V5.0 - https://www.tendacn.com/product/ac6v5.html

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

DETAILS

The Tenda AC1200 AC6 is an IPv6 smart wifi router that supports multiple configuration types for home connectivity options. Extremely popular and affordable in online sellers, the Tenda AC1200 AC6 sees large usage in the home-networking space.

The Tenda AC1200 AC6 hosts an HTTP web portal on port 80 to provide online management and administration to the users. After a password is set on the device, trying to access the router via this web portal will provide a login page to the user. An example of the web request used for logging into this portal with the password ‘abc123’ is given below:

GET /index.html HTTP/1
Host: 192.168.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.1/login.html
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i

password=YWJjMTIz  // [1]

As seen at [1], a cleartext password is present within the POST data. Upon decoding the password using base64, we see the following:

$ echo -n 'YWJjMTIz' | base64 -d
abc123

Thus, any attacker who is able to sniff this authentication request is not just provided a replayable hash or any other obfuscated hash, but the actual password in base64 form. This password would then allow the attacker to even flash arbitrary firmware onto the device.

TIMELINE

2025-04-29 - Initial Vendor Contact
2025-04-30 - Vendor Disclosure
2025-05-05 - Vendor Feedback Request
2025-05-08 - Vendor Feedback Request
2025-05-12 - Vendor Feedback Request
2025-06-11 - Vendor Feedback Request
2025-07-07 - Feedback Request / Announcement Of Upcoming Release Date
2025-07-23 - Feedback Request / Announcement Of Upcoming Release Date
2025-08-19 - Announcement Of Upcoming Release Date
2025-08-20 - Public Release

Credit

Discovered by Lilith >_> of Cisco Talos.

TALOS-2025-2167

TALOS-2025-2161

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company