CVE-2025-24322
An unsafe default authentication vulnerability exists in the Initial Setup Authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted network request can lead to arbitrary code execution. An attacker can browse to the device to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Tenda AC6 V5.0 V02.03.01.110
AC6 V5.0 - https://www.tendacn.com/product/ac6v5.html
8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-304 - Missing Critical Step in Authentication
The Tenda AC1200 AC6 is an IPv6 smart wifi router that supports multiple configuration types for home connectivity options. Extremely popular and affordable in online sellers, the Tenda AC1200 AC6 sees large usage in the home-networking space.
When initially installing the Tenda AC6 AC1300 router, the setup wizard allows the user to setup the WAN connection type (e.g. PPPoe, Dynamic IP Address, static IP address) and the parameters needed to set this connection up. Likewise, the initial setup wizard also requires a Wifi SSID name and also a Wifi Password to be set.
However, notably missing from the initial setup wizard is any sort of web portal username and login, and there’s also no subsequent window requiring these to be set. After inputting the required information, the router will fully function to connect Wifi clients to the internet without any warning that a username or password needs to be set for the web portal, and will login anyone on the local network who can talk to the router on the LAN side, giving them full administrative access. The setting of a web portal password requires extra configuration in the “Administration” tab of the device, and no warning is ever given to the owners of the device.
Given that this is such a unique setup process and also the popularity of this device, it is reasonable to assume that a large number of the routers currently in use require no authentication at all in order to have full control of the device from the LAN side, even allowing the flashing of arbitrary and malicious firmware.
2025-04-29 - Initial Vendor Contact
2025-04-30 - Vendor Disclosure
2025-05-05 - Vendor Feedback Request
2025-05-08 - Vendor Feedback Request
2025-05-12 - Vendor Feedback Request
2025-06-11 - Vendor Feedback Request
2025-07-07 - Feedback Request / Announcement Of Upcoming Release Date
2025-07-23 - Feedback Request / Announcement Of Upcoming Release Date
2025-08-19 - Announcement Of Upcoming Release Date
2025-08-20 - Public Release
Discovered by Lilith >_> of Cisco Talos.