CVE-2026-22081 is a vulnerability classified under CWE-1004 (Sensitive Cookie Without HttpOnly Flag) affecting Tenda 300Mbps Wireless Router F3 and N300 Easy Setup Router models. The root cause is the absence of the HttpOnly attribute on session cookies used by the routers' web-based administrative interfaces. Without the HttpOnly flag, these cookies are accessible to client-side scripts, increasing the risk of session hijacking via cross-site scripting (XSS) or network interception. Additionally, the administrative interface transmits these cookies over unencrypted HTTP connections, enabling remote attackers to capture session cookies through network sniffing or man-in-the-middle attacks. Successful exploitation allows attackers to impersonate legitimate administrators, gaining unauthorized control over router settings, potentially leading to network compromise, traffic interception, or persistent backdoors. The vulnerability affects several firmware versions of the F3 model (v3.0) and one version of the F4 model (v4.0). The CVSS 4.0 base score is 8.8, reflecting high severity due to network attack vector, no required privileges or user interaction, and high impact on confidentiality. Although no public exploits are reported yet, the vulnerability's nature makes it a significant risk, especially in environments where these routers are deployed without additional network protections.

European organizations using affected Tenda router models face risks including unauthorized administrative access to network routers, leading to potential interception or manipulation of internal and external network traffic. This could compromise confidentiality and integrity of sensitive communications and data. Attackers gaining control over routers can redirect traffic, deploy malware, or create persistent access points within corporate or governmental networks. Small and medium enterprises or home offices relying on these routers may be particularly vulnerable due to limited network segmentation or monitoring. Critical infrastructure entities using these devices could experience disruptions or espionage activities. The lack of encryption on the administrative interface exacerbates the risk, especially in environments with untrusted or public network segments. Overall, the vulnerability threatens network security posture and could facilitate broader attacks if exploited.

1. Immediately restrict access to the router's administrative interface by limiting it to trusted internal networks or specific management VLANs. 2. Disable remote administration over HTTP or the internet if enabled. 3. Enforce use of HTTPS for the router's web interface to protect cookie transmission; if not supported, consider deploying a VPN or secure management channel. 4. Monitor network traffic for unusual activity indicative of session hijacking or unauthorized access attempts. 5. Apply firmware updates from Tenda as soon as they are released addressing this vulnerability. 6. If firmware patches are unavailable, consider replacing affected devices with models that implement secure cookie attributes and encrypted management interfaces. 7. Educate users and administrators about the risks of using default or insecure router configurations. 8. Implement network segmentation to isolate critical systems from potentially compromised routers. 9. Use endpoint security solutions to detect lateral movement or unusual network behavior stemming from compromised routers.