CVE-2026-5962
Path Traversal in Tenda CH22 httpd Enables Remote Exploit
Publication date: 2026-04-09
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ch22_firmware | 1.0.0.6(468) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-5962 vulnerability affects the Tenda CH22 router running firmware version V1.0.0.6(468). It is caused by a flaw in the R7WebsSecurityHandler function of the httpd service, which is responsible for controlling access to certain URLs based on a whitelist of allowed prefixes.
The vulnerability arises because the function only checks the beginning of the URL for allowed prefixes but does not properly validate or canonicalize the rest of the URL. This allows an attacker to include directory traversal sequences (like "../") after a whitelisted prefix to escape the restricted directory.
For example, an attacker can send a request to "/public/../system_upgrade.asp" which passes the whitelist check but actually accesses a sensitive administrative page that normally requires authentication. This results in an authentication bypass, allowing remote attackers to access protected resources without logging in.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows unauthenticated remote attackers to bypass login requirements and gain direct access to administrative interfaces and sensitive resources on the affected Tenda CH22 router.
- Attackers can manipulate URLs to access restricted pages, such as system upgrade or configuration pages.
- Unauthorized access to administrative functions can lead to device compromise, configuration changes, or disruption of network services.
- Since the exploit is publicly available, the risk of exploitation is high.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests to the Tenda CH22 router's web interface that attempt to exploit the path traversal flaw in the R7WebsSecurityHandler function.
Specifically, you can test for unauthorized access by sending a GET request to a URL starting with a whitelisted prefix such as "/public/" followed by directory traversal sequences like "../" to access normally restricted pages such as "system_upgrade.asp".
For example, using curl, you can run the following command to check if the vulnerability is present:
- curl -i http://[router_ip]/public/../system_upgrade.asp
If the response returns the administrative page without redirecting to a login page (HTTP 302), it indicates the vulnerability is exploitable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web interface from untrusted networks and disabling remote management if enabled.
Additionally, monitor for any unusual HTTP requests that include directory traversal patterns such as "../" in URLs targeting the router.
Applying any available firmware updates from the vendor that address this vulnerability is critical once released.
As a temporary workaround, consider implementing network-level filtering or web application firewall rules to block requests containing suspicious path traversal sequences.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to bypass authentication and gain direct access to administrative interfaces and sensitive resources on the Tenda CH22 router. This unauthorized access to sensitive data and administrative functions can lead to exposure or manipulation of personal or protected information.
Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.