CVE-2026-4252
Authentication Bypass in Tenda AC8 IPv6 Handler (check_is_ipv
Publication date: 2026-03-16
Last updated on: 2026-04-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac8_firmware | 16.03.50.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-291 | The product uses an IP address for authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4252 is a critical authentication bypass vulnerability in the Tenda AC8 router firmware version 16.03.50.11. It affects the IPv6 Handler component, specifically the function check_is_ipv6, which is used to detect IPv6 clients by checking if the client IP address contains two or more colons. If so, the router skips the entire authentication process.'}, {'type': 'paragraph', 'content': 'The vulnerability allows an attacker on the local network to bypass authentication by exploiting a substring matching flaw in the router\'s web server handler (R7WebsSecurityHandler). By appending the query parameter "?fast_setting_wifi_set" to any URL containing "/goform/", the attacker can gain unauthenticated access to all administrative endpoints.'}, {'type': 'paragraph', 'content': 'This means an attacker can remotely access sensitive functions such as changing the admin password, enabling telnet access, reconfiguring WiFi settings, uploading firmware, and other administrative actions without knowing any password.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker on the same local network to gain full administrative control over the affected Tenda AC8 router. The attacker can bypass authentication and perform critical actions such as:
- Changing the administrator password
- Enabling Telnet access remotely without authentication
- Reconfiguring WiFi settings
- Uploading and installing firmware
- Gaining root shell access to the device
With root access, attackers can read sensitive files such as /etc/shadow, potentially compromising user credentials and the entire device integrity. This can lead to full device compromise, loss of confidentiality, integrity, and availability of the network managed by the router.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the presence of the Tenda AC8 router with firmware version 16.03.50.11 on your network and checking for IPv6 link-local address accessibility. The router listens on IPv6 link-local addresses (fe80::/10) by default, which can be discovered using network commands.'}, {'type': 'list_item', 'content': "Use the command `ping6 -c2 ff02::1%eth0` to ping all IPv6 nodes on the local network segment and discover the router's IPv6 link-local address."}, {'type': 'list_item', 'content': "Use `ip -6 neigh` to view the IPv6 neighbor table and identify the router's IPv6 link-local address and MAC address."}, {'type': 'list_item', 'content': 'Check the IPv4 ARP table with `arp -a` to find the MAC address of the default gateway (usually 192.168.0.1) which corresponds to the router.'}, {'type': 'paragraph', 'content': 'Once the IPv6 link-local address is identified, you can test for the authentication bypass by sending HTTP requests to `/goform/` endpoints with the query parameter `?fast_setting_wifi_set` appended, which should normally require authentication but is bypassed in this vulnerability.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the router's IPv6 link-local addresses from unauthorized LAN hosts, as the vulnerability requires LAN access over IPv6."}, {'type': 'paragraph', 'content': "Apply firewall rules to block or limit IPv6 traffic to the router's administrative `/goform/` endpoints, especially blocking requests containing the `fast_setting_wifi_set` parameter."}, {'type': 'paragraph', 'content': 'Disable or restrict IPv6 on the LAN interfaces if IPv6 is not required, to reduce the attack surface.'}, {'type': 'paragraph', 'content': 'Change the default or empty web admin password immediately if the device is in initial setup state, to prevent unauthorized password changes.'}, {'type': 'paragraph', 'content': 'Monitor network traffic for suspicious HTTP requests to `/goform/` endpoints with the bypass parameter and unauthorized Telnet activation.'}, {'type': 'paragraph', 'content': 'Check for firmware updates or patches from the vendor and apply them as soon as they become available to fix the vulnerability.'}] [1, 3]