CVE-2026-4252

CriticalPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0037 58.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The…

exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires proper identification and authentication for non-organizational users, directly mitigating the IP address-based authentication bypass exploited by remote unauthenticated attackers.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations, preventing unauthorized access resulting from the flawed IPv6 handler's reliance on IP addresses for authentication.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs like IPv6 data, countering manipulation in the check_is_ipv6 function that enables authentication bypass.

Security SummaryAI

CVE-2026-4252 is a critical authentication vulnerability affecting the Tenda AC8 router on firmware version 16.03.50.11. The issue resides in the check_is_ipv6 function of the IPv6 Handler component, where the system improperly relies on IP addresses for authentication, enabling bypass of security controls. Published on 2026-03-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 287 (Improper Authentication) and 291 (Trusting Network Address).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating IPv6 handling, adversaries can bypass authentication to gain unauthorized access to the device, potentially achieving high impacts on confidentiality, integrity, and availability, such as executing arbitrary commands or altering configurations.

A proof-of-concept exploit demonstrating the IPv6 authentication bypass is publicly available on GitHub (https://github.com/digitalandrew/tenda_ac8_v5/blob/main/poc_ipv6_auth_bypass.py). VulDB provides detailed advisories (https://vuldb.com/?ctiid.351210, https://vuldb.com/?id.351210, https://vuldb.com/?submit.771759), and the vendor's site is at https://www.tenda.com.cn/. No specific patches or mitigations are detailed in the references.

The exploit is publicly available and might be used in the wild, increasing the risk for exposed Tenda AC8 devices.

Details

CWE(s): CWE-287 CWE-291

Affected Products

tenda

ac8 firmware

16.03.50.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote unauthenticated attackers to bypass authentication on a public-facing router management interface via improper IP address trust, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/digitalandrew/tenda_ac8_v5/blob/main/poc_ipv6_auth_bypass.py
Exploit · cna@vuldb.com
https://vuldb.com/?ctiid.351210
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.351210
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.771759
Exploit, Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com