CVE-2026-6024

A vulnerability exists in the Tenda i6 router firmware version 1.0.0.7(2204), affecting the R7WebsSecurityHandler function of the httpd component [1]. This function is responsible for enforcing a URL prefix whitelist (e.g., /public/, /lang/) to allow unauthenticated access to static resources while requiring login for other pages. The flaw lies in its use of strncmp to verify the URL prefix without validating the rest of the path, leading to a path traversal weakness [1].

An unauthenticated remote attacker can exploit this by crafting an HTTP request that starts with a whitelisted prefix but includes directory traversal sequences (../) to navigate to sensitive resources. For example, a GET request to /public/../system_upgrade.asp bypasses the authentication check because it begins with /public/, yet the server resolves the path to the administrative system_upgrade.asp page [1]. The attack requires no authentication and can be launched over the network.

Successful exploitation grants the attacker access to restricted pages and functions normally requiring administrative credentials. This could allow an attacker to view or modify router settings, including firmware upgrade, network configuration, and security controls. The proof of concept has been publicly disclosed, increasing the risk of active exploitation [1].

As of the publication date, Tenda has not released a patched firmware version; the latest firmware available on their website (1.0.0.7(2204)) remains vulnerable [2]. Users are advised to restrict network access to the router's management interface or consider alternative mitigation measures until an update is provided.