CVE-2026-24434
Unknown Unknown - Not Provided
CSRF Vulnerability in Tenda AC7 Firmware Allows Unauthorized Settings Changes

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: VulnCheck

Description
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24434
EUVD
EUVD-2026-5154
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda ac7_firmware to 03.03.03.01 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the Tenda AC7 router firmware allows unauthorized modification of router settings through CSRF attacks, which could potentially lead to unauthorized access or changes in network configurations.

Such unauthorized changes may impact the security and integrity of systems that handle sensitive data, thereby potentially affecting compliance with standards and regulations like GDPR and HIPAA that require protection of data and secure administrative controls.

However, the provided information does not explicitly detail the direct impact on compliance with these regulations.

Executive Summary

The Tenda AC7 router firmware version V03.03.03.01_cn and earlier lacks Cross-Site Request Forgery (CSRF) protections in its web management interface for administrative actions.

Specifically, the interface does not implement anti-CSRF tokens or enforce robust origin validation mechanisms.

This vulnerability allows an attacker to trick a logged-in administrator into executing unintended state-changing requests, potentially modifying router settings without authorization.

Impact Analysis

[{'type': 'paragraph', 'content': "An attacker can exploit this vulnerability to induce a logged-in administrator to perform unintended actions on the router's web management interface."}, {'type': 'paragraph', 'content': 'This can lead to unauthorized modification of router settings, which may affect network security and device configuration.'}, {'type': 'paragraph', 'content': 'The attack requires the administrator to be logged in and interact with a malicious request, but no special privileges or complex attack methods are needed.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The vulnerability exists because the Tenda AC7 router firmware version V03.03.03.01_cn and earlier does not implement CSRF protections such as anti-CSRF tokens or robust origin validation in its web management interface.'}, {'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should:'}, {'type': 'list_item', 'content': 'Avoid using the vulnerable firmware version and upgrade the router firmware to a version later than V03.03.03.01_cn if available.'}, {'type': 'list_item', 'content': "Restrict access to the router's web management interface to trusted networks and users only."}, {'type': 'list_item', 'content': "Ensure that administrators do not visit untrusted websites while logged into the router's management interface to reduce the risk of CSRF attacks."}, {'type': 'list_item', 'content': 'Consider resetting the router to factory defaults and reconfiguring it after upgrading firmware.'}] [1]

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart