CVE-2026-5527
Received Received - Intake

Hard-Coded ECDSA Key Vulnerability in Tenda 4G03 Pro

Vulnerability report for CVE-2026-5527, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-05

Last updated on: 2026-04-30

Assigner: VulDB

Description

A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Private Key Handler. This manipulation causes use of hard-coded cryptographic key . It is possible to initiate the attack remotely.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-05
Last Modified
2026-04-30
Generated
2026-07-06
AI Q&A
2026-04-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tenda 4g03_pro_firmware 04.03.01.53

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-320 Key Management Errors
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability allows remote attackers to exploit the hard-coded cryptographic key, potentially compromising the confidentiality of communications or data protected by this key. Since the key is fixed and known, attackers may be able to decrypt sensitive information or impersonate the device, leading to partial loss of confidentiality.

Executive Summary

This vulnerability exists in the Tenda 4G03 Pro device, specifically in the ECDSA P-256 Private Key Handler component. The issue is caused by the use of a hard-coded cryptographic key located in the file /etc/www/pem/server.key. Because the key is hard-coded, it can be exploited remotely by an attacker.

Compliance Impact

The vulnerability involves the use of a hard-coded cryptographic key in the Tenda 4G03 Pro device, which can be exploited remotely. This weakness can potentially compromise the confidentiality of sensitive data protected by the device.

Using hard-coded cryptographic keys is generally considered a poor security practice and may lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require adequate protection of personal and sensitive data.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5527. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart