CVE-2026-22082

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device.

CVSS

No CVSS.

References

Link	Resource
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Esta vulnerabilidad existe en los routers inalámbricos Tenda (Router Inalámbrico de 300Mbps F3 y Router de Configuración Sencilla N300) debido al uso de credenciales de inicio de sesión como el ID de sesión a través de su interfaz administrativa basada en web. Un atacante remoto podría explotar esta vulnerabilidad interceptando el tráfico de red y capturando el ID de sesión durante una transmisión insegura. La explotación exitosa de esta vulnerabilidad podría permitir al atacante secuestrar una sesión autenticada y comprometer información de configuración sensible en el dispositivo objetivo.

09 Jan 2026, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-09 12:15

Updated : 2026-04-15 00:35

NVD link : CVE-2026-22082

Mitre link : CVE-2026-22082

CVE.ORG link : CVE-2026-22082

JSON object : View

Products Affected

No product.

CWE

CWE-384

Session Fixation

{"id": "CVE-2026-22082", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "vdisclose@cert-in.org.in", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-09T12:15:54.403", "references": [{"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004", "source": "vdisclose@cert-in.org.in"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "vdisclose@cert-in.org.in", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission.\n \nSuccessful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device."}, {"lang": "es", "value": "Esta vulnerabilidad existe en los routers inal\u00e1mbricos Tenda (Router Inal\u00e1mbrico de 300Mbps F3 y Router de Configuraci\u00f3n Sencilla N300) debido al uso de credenciales de inicio de sesi\u00f3n como el ID de sesi\u00f3n a trav\u00e9s de su interfaz administrativa basada en web. Un atacante remoto podr\u00eda explotar esta vulnerabilidad interceptando el tr\u00e1fico de red y capturando el ID de sesi\u00f3n durante una transmisi\u00f3n insegura.\n\nLa explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir al atacante secuestrar una sesi\u00f3n autenticada y comprometer informaci\u00f3n de configuraci\u00f3n sensible en el dispositivo objetivo."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "vdisclose@cert-in.org.in"}