CVE-2026-4252
Received Received - Intake
Authentication Bypass in Tenda AC8 IPv6 Handler (check_is_ipv

Publication date: 2026-03-16

Last updated on: 2026-04-03

Assigner: VulDB

Description
A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4252
EUVD
EUVD-2026-12470
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda ac8_firmware 16.03.50.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-291 The product uses an IP address for authentication.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4252 is a critical authentication bypass vulnerability in the Tenda AC8 router firmware version 16.03.50.11. It affects the IPv6 Handler component, specifically the function check_is_ipv6, which is used to detect IPv6 clients by checking if the client IP address contains two or more colons. If so, the router skips the entire authentication process.'}, {'type': 'paragraph', 'content': 'The vulnerability allows an attacker on the local network to bypass authentication by exploiting a substring matching flaw in the router\'s web server handler (R7WebsSecurityHandler). By appending the query parameter "?fast_setting_wifi_set" to any URL containing "/goform/", the attacker can gain unauthenticated access to all administrative endpoints.'}, {'type': 'paragraph', 'content': 'This means an attacker can remotely access sensitive functions such as changing the admin password, enabling telnet access, reconfiguring WiFi settings, uploading firmware, and other administrative actions without knowing any password.'}] [1, 2, 3]

Impact Analysis

This vulnerability allows an unauthenticated attacker on the same local network to gain full administrative control over the affected Tenda AC8 router. The attacker can bypass authentication and perform critical actions such as:

  • Changing the administrator password
  • Enabling Telnet access remotely without authentication
  • Reconfiguring WiFi settings
  • Uploading and installing firmware
  • Gaining root shell access to the device

With root access, attackers can read sensitive files such as /etc/shadow, potentially compromising user credentials and the entire device integrity. This can lead to full device compromise, loss of confidentiality, integrity, and availability of the network managed by the router.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the presence of the Tenda AC8 router with firmware version 16.03.50.11 on your network and checking for IPv6 link-local address accessibility. The router listens on IPv6 link-local addresses (fe80::/10) by default, which can be discovered using network commands.'}, {'type': 'list_item', 'content': "Use the command `ping6 -c2 ff02::1%eth0` to ping all IPv6 nodes on the local network segment and discover the router's IPv6 link-local address."}, {'type': 'list_item', 'content': "Use `ip -6 neigh` to view the IPv6 neighbor table and identify the router's IPv6 link-local address and MAC address."}, {'type': 'list_item', 'content': 'Check the IPv4 ARP table with `arp -a` to find the MAC address of the default gateway (usually 192.168.0.1) which corresponds to the router.'}, {'type': 'paragraph', 'content': 'Once the IPv6 link-local address is identified, you can test for the authentication bypass by sending HTTP requests to `/goform/` endpoints with the query parameter `?fast_setting_wifi_set` appended, which should normally require authentication but is bypassed in this vulnerability.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the router's IPv6 link-local addresses from unauthorized LAN hosts, as the vulnerability requires LAN access over IPv6."}, {'type': 'paragraph', 'content': "Apply firewall rules to block or limit IPv6 traffic to the router's administrative `/goform/` endpoints, especially blocking requests containing the `fast_setting_wifi_set` parameter."}, {'type': 'paragraph', 'content': 'Disable or restrict IPv6 on the LAN interfaces if IPv6 is not required, to reduce the attack surface.'}, {'type': 'paragraph', 'content': 'Change the default or empty web admin password immediately if the device is in initial setup state, to prevent unauthorized password changes.'}, {'type': 'paragraph', 'content': 'Monitor network traffic for suspicious HTTP requests to `/goform/` endpoints with the bypass parameter and unauthorized Telnet activation.'}, {'type': 'paragraph', 'content': 'Check for firmware updates or patches from the vendor and apply them as soon as they become available to fix the vulnerability.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4252. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart