Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to access protected resources.
The device generates a session cookie that contains a hash of the user's password — sensitive information that should not be transmitted to the client. Additionally, the session identifier is short and based on entropy of low value, making it susceptible to brute-force guessing or analysis attacks. An attacker with access to the network or the ability to execute JavaScript code in the victim's browser (e.g., through XSS) can intercept such a cookie. After obtaining the cookie, the attacker can reuse it (replay attack), gaining access to the router's administrative panel without knowing the actual password.
An attacker can take full control of the Tenda AC15 router, gaining access to protected administrative resources — including the ability to modify network configuration, intercept network traffic, and potentially use the device as an entry point to the local network.
Apply patches available from the manufacturer according to references. Until an update is released, it is recommended to restrict access to the router's administrative panel only to trusted hosts on the local network and avoid managing the device through untrusted networks.
Tenda AC15 firmware version v15.03.05.18_multi
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTenda Ac15
HWTendawszystkie wersjeTenda Ac15 Firmware
OSTenda15.03.05.18
Related vulnerabilities
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute a...
Buffer overflow w Tenda AC15 — podatność w goform/formSetMacFilterCfg
Command injection w Tenda AC15 — brak walidacji parametru w formsetUsbUnload
Command injection w Tenda AC15 — brak walidacji parametru formSetIptv
Buffer overflow w Tenda AC15 — przepełnienie stosu przez HTTP