Talos Vulnerability Report

SUMMARY

A cleartext transmission vulnerability exists in the Tenda App Router Authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted network packets can lead to arbitrary authentication. An attacker can sniff network traffic to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Tenda AC6 V5.0 V02.03.01.110

PRODUCT URLS

AC6 V5.0 - https://www.tendacn.com/product/ac6v5.html

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

DETAILS

The Tenda AC1200 AC6 is an IPv6 smart wifi router that supports multiple configuration types for home connectivity options. Extremely popular and affordable in online sellers, the Tenda AC1200 AC6 sees large usage in the home-networking space.

Aside from just the HTTP web portal, the Tenda AC6 AC1200 router also provides a dedicated port for administrative management via a phone app that is hosted on TCP port 9000. Similar in protocol to how the router talks to the cloud on the WAN side, the LAN side phone app management gives just as much functionality as the HTTP admin interface, assuming that authentication successfully occurs.

To understand the current vulnerability, let’s quickly examine the authentication traffic:

0000   24 00 07 ab 00 d5 00 00 04 02 00 00 01 00 00 00   $............... // CMD_LOGIN_GET_PWD_STA

The phone first sends the CMD_LOGIN_GET_PWD_STA packet to see if authentication is needed.

0000   24 00 06 ab 00 d5 00 06 04 02 00 00 00 00 00 00   $............... // 
0010   08 00 12 02 08 00                                 ......

A response of the same packet type is sent back, with the last byte designating whether the session is currently authenticated or not. If the last byte is 0x0, as in the above traffic, then our phone needs to authenticate, which it does like such:

0000   24 00 07 af 00 d5 00 13 04 00 00 00 01 00 00 00   $...............   // CMD_LOGIN_LOGIN
0010   0a 05 61 64 6d 69 6e 12 0a 74 65 73 74 20 20 20   ..admin..test   
0020   39 39 39                                          999

Since the login for the test device is in fact “admin”/”test 999”, as shown in plaintext above, the router sends the following response to indicate a good login:

0000   24 00 06 af 00 d5 00 06 04 00 00 00 00 00 00 00   $...............  
0010   08 00 12 02 08 00                                 ......

After this sequence has completed, the phone can now successfully send any command that needs authentication. But as plainly shown above, the administrative credentials are sent in clear text, and if there’s an attacker sniffing on the LAN side traffic when this authentication occurs, they easily gain admin access with all of the abilities it entails, including uploading unsigned firmware to the device.

TIMELINE

2025-04-29 - Initial Vendor Contact
2025-04-30 - Vendor Disclosure
2025-05-05 - Vendor Feedback Request
2025-05-08 - Vendor Feedback Request
2025-05-12 - Vendor Feedback Request
2025-06-11 - Vendor Feedback Request
2025-07-07 - Feedback Request / Announcement Of Upcoming Release Date
2025-07-23 - Feedback Request / Announcement Of Upcoming Release Date
2025-08-19 - Announcement Of Upcoming Release Date
2025-08-20 - Public Release