CVE-2025-31646
A unencrypted transmission of credentials vulnerability exists in the Session Authentication Cookie functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted set of network packets can lead to authentication bypass. An attacker can sniff network traffic to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Tenda AC6 V5.0 V02.03.01.110
AC6 V5.0 - https://www.tendacn.com/product/ac6v5.html
8.8 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-319 - Cleartext Transmission of Sensitive Information
The Tenda AC1200 AC6 is an IPv6 smart wifi router that supports multiple configuration types for home connectivity options. Extremely popular and affordable in online sellers, the Tenda AC1200 AC6 sees large usage in the home-networking space.
The Tenda AC1200 AC6 hosts an HTTP web portal on port 80 to provide online management and administration to the users. After a password is set on the device, trying to access the router via this web portal will provide a login page to the user, which is typical for many network-connected devices and programs. Even after logging in, the user will continuously authenticate to the router via a session cookie.
An example of this is given below in the period request that a logged in user will send to the router:
GET /goform/getStatus?random=0.7632476893792813&modules=internetStatus%2CdeviceStatistics%2CsystemInfo%2CwanAdvCfg%2CwifiRelay%2CwifiBasicCfg%2CsysTime HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/index.html
Cookie: bLanguage=en; ecos_pw=YWJjMTIz1qw:language=cn
In this situation, the administrative password is abc123. If we examine the ecos_pw cookie, its value is YWJjMTIz1qw. Doing a quick base64 decode of this value shows the following:
echo -n 'YWJjMTIz1qw' | base64 -d
abc123֬base64: invalid input
As it turns out, the router will set this ecos_pw cookie just to a base64-encoded version of the administrative password, and then append a 3-character suffix that’s generated from various values. This 3-character suffix doesn’t particularly matter at all, since we can just ignore it and discover the administrative password from sniffing literally any of the network traffic that a logged in user will send to the router, traffic which is also automatically and periodically sent for updating UI statistics. Thus in summary, without even seeing the login process itself occurring, sniffing any traffic of a logged in user to the Tenda AC6 AC1300 will disclose the administrative password and allow an attacker full access to the device, including the ability to flash arbitrary firmware.
2025-04-29 - Initial Vendor Contact
2025-04-30 - Vendor Disclosure
2025-05-05 - Vendor Feedback Request
2025-05-08 - Vendor Feedback Request
2025-05-12 - Vendor Feedback Request
2025-06-11 - Vendor Feedback Request
2025-07-07 - Feedback Request / Announcement Of Upcoming Release Date
2025-07-23 - Feedback Request / Announcement Of Upcoming Release Date
2025-08-19 - Announcement Of Upcoming Release Date
2025-08-20 - Public Release
Discovered by Lilith >_> of Cisco Talos.