CVE-2026-27514: CWE-201: Insertion of Sensitive Information Into Sent Data in Shenzhen Tenda Technology Co., Ltd. Tenda F3
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data.
AI Analysis
Technical Summary
CVE-2026-27514 describes a sensitive information exposure vulnerability in the Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi. The issue occurs in the configuration download functionality, where the response includes plaintext router and administrative passwords. The absence of Cache-Control directives in the HTTP response allows the sensitive data to be stored in client-side caches, increasing the risk of unauthorized local access. The vulnerability is categorized under CWE-201 (Exposure of Sensitive Information Through Sent Data) and CWE-525 (Use of Web Browser Cache Containing Sensitive Information). The CVSS v4.0 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, and no privileges or user interaction required.
Potential Impact
An attacker with local access to the client device or browser cache could retrieve sensitive router credentials from cached configuration download responses. This exposure could lead to unauthorized administrative access to the router, compromising network security. The vulnerability does not require user interaction or elevated privileges to exploit, increasing its risk. There are no known exploits in the wild at this time.
Mitigation Recommendations
No patch or official fix information is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is provided, users should avoid downloading or storing router configuration files on shared or untrusted devices. Clearing browser caches after configuration downloads may reduce risk. Monitor vendor communications for updates on patches or firmware upgrades addressing this issue.
CVE-2026-27514: CWE-201: Insertion of Sensitive Information Into Sent Data in Shenzhen Tenda Technology Co., Ltd. Tenda F3
Description
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27514 describes a sensitive information exposure vulnerability in the Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi. The issue occurs in the configuration download functionality, where the response includes plaintext router and administrative passwords. The absence of Cache-Control directives in the HTTP response allows the sensitive data to be stored in client-side caches, increasing the risk of unauthorized local access. The vulnerability is categorized under CWE-201 (Exposure of Sensitive Information Through Sent Data) and CWE-525 (Use of Web Browser Cache Containing Sensitive Information). The CVSS v4.0 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, and no privileges or user interaction required.
Potential Impact
An attacker with local access to the client device or browser cache could retrieve sensitive router credentials from cached configuration download responses. This exposure could lead to unauthorized administrative access to the router, compromising network security. The vulnerability does not require user interaction or elevated privileges to exploit, increasing its risk. There are no known exploits in the wild at this time.
Mitigation Recommendations
No patch or official fix information is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is provided, users should avoid downloading or storing router configuration files on shared or untrusted devices. Clearing browser caches after configuration downloads may reduce risk. Monitor vendor communications for updates on patches or firmware upgrades addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-19T19:51:07.328Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699c852abe58cf853ba98537
Added to database: 2/23/2026, 4:49:46 PM
Last enriched: 5/12/2026, 4:02:55 AM
Last updated: 5/24/2026, 11:04:12 PM
Views: 161
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.