CVE-2026-5527
Received Received - Intake
Hard-Coded ECDSA Key Vulnerability in Tenda 4G03 Pro

Publication date: 2026-04-05

Last updated on: 2026-04-30

Assigner: VulDB

Description
A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Private Key Handler. This manipulation causes use of hard-coded cryptographic key . It is possible to initiate the attack remotely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5527
EUVD
EUVD-2026-19003
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda 4g03_pro_firmware 04.03.01.53
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-320 Key Management Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Tenda 4G03 Pro device, specifically in the ECDSA P-256 Private Key Handler component. The issue is caused by the use of a hard-coded cryptographic key located in the file /etc/www/pem/server.key. Because the key is hard-coded, it can be exploited remotely by an attacker.

Impact Analysis

The vulnerability allows remote attackers to exploit the hard-coded cryptographic key, potentially compromising the confidentiality of communications or data protected by this key. Since the key is fixed and known, attackers may be able to decrypt sensitive information or impersonate the device, leading to partial loss of confidentiality.

Compliance Impact

The vulnerability involves the use of a hard-coded cryptographic key in the Tenda 4G03 Pro device, which can be exploited remotely. This weakness can potentially compromise the confidentiality of sensitive data protected by the device.

Using hard-coded cryptographic keys is generally considered a poor security practice and may lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require adequate protection of personal and sensitive data.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5527. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart