CVE-2026-24434
CSRF Vulnerability in Tenda AC7 Firmware Allows Unauthorized Settings Changes
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac7_firmware | to 03.03.03.01 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
The Tenda AC7 router firmware version V03.03.03.01_cn and earlier lacks Cross-Site Request Forgery (CSRF) protections in its web management interface for administrative actions.
Specifically, the interface does not implement anti-CSRF tokens or enforce robust origin validation mechanisms.
This vulnerability allows an attacker to trick a logged-in administrator into executing unintended state-changing requests, potentially modifying router settings without authorization.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "An attacker can exploit this vulnerability to induce a logged-in administrator to perform unintended actions on the router's web management interface."}, {'type': 'paragraph', 'content': 'This can lead to unauthorized modification of router settings, which may affect network security and device configuration.'}, {'type': 'paragraph', 'content': 'The attack requires the administrator to be logged in and interact with a malicious request, but no special privileges or complex attack methods are needed.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The vulnerability exists because the Tenda AC7 router firmware version V03.03.03.01_cn and earlier does not implement CSRF protections such as anti-CSRF tokens or robust origin validation in its web management interface.'}, {'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should:'}, {'type': 'list_item', 'content': 'Avoid using the vulnerable firmware version and upgrade the router firmware to a version later than V03.03.03.01_cn if available.'}, {'type': 'list_item', 'content': "Restrict access to the router's web management interface to trusted networks and users only."}, {'type': 'list_item', 'content': "Ensure that administrators do not visit untrusted websites while logged into the router's management interface to reduce the risk of CSRF attacks."}, {'type': 'list_item', 'content': 'Consider resetting the router to factory defaults and reconfiguring it after upgrading firmware.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Tenda AC7 router firmware allows unauthorized modification of router settings through CSRF attacks, which could potentially lead to unauthorized access or changes in network configurations.
Such unauthorized changes may impact the security and integrity of systems that handle sensitive data, thereby potentially affecting compliance with standards and regulations like GDPR and HIPAA that require protection of data and secure administrative controls.
However, the provided information does not explicitly detail the direct impact on compliance with these regulations.