Executive Summary

CVE-2026-6024 is a path traversal vulnerability in the Tenda i6 router running firmware version 1.0.0.7(2204). It affects the R7WebsSecurityHandler function of the HTTP Handler component. This function is supposed to restrict access to certain URLs by allowing only whitelisted URL prefixes. However, it does not properly validate the rest of the URL after the whitelisted prefix.

An attacker can craft a URL starting with a whitelisted prefix but including directory traversal sequences (like "../") to escape the restricted directory. For example, a request to "/public/../system_upgrade.asp" bypasses the whitelist check but accesses a sensitive administrative page.

This flaw allows an unauthenticated remote attacker to bypass login authentication and gain direct access to administrative interfaces and sensitive resources on the router.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to bypass authentication and gain full administrative access to the Tenda i6 router. With this access, the attacker can control and modify router settings, potentially compromising the security and functionality of the network.

Such unauthorized access can lead to network disruption, interception of network traffic, installation of malicious firmware, or other malicious activities that compromise the confidentiality, integrity, and availability of the network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access sensitive administrative pages on the Tenda i6 router using specially crafted HTTP requests that exploit the path traversal flaw.

For example, you can use curl or similar HTTP client tools to send a GET request with a path traversal sequence starting with a whitelisted prefix such as "/public/../system_upgrade.asp".

• curl -v http://<router-ip>/public/../system_upgrade.asp
• curl -v http://<router-ip>/lang/../system_upgrade.asp

If the response returns the administrative page content instead of redirecting to a login page (HTTP 302), it indicates the vulnerability is present.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated remote attackers to bypass authentication and gain full administrative access to the Tenda i6 router. This unauthorized access to administrative functions and sensitive resources could lead to exposure or manipulation of personal or sensitive data.

Such unauthorized access and potential data exposure may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate controls to prevent unauthorized access.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-6024 vulnerability in the Tenda i6 router, immediate steps include restricting remote access to the router's HTTP interface to trusted networks only, such as local LAN, to prevent unauthenticated remote exploitation.

Additionally, monitor for any available firmware updates or patches from the vendor that address this path traversal and authentication bypass issue, and apply them as soon as possible.

As a temporary measure, consider disabling any unnecessary HTTP services or administrative interfaces exposed remotely until a fix is applied.

Useful 0 Not Useful 0