Cyber Resilience

CVE-2025-70802

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 7.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-70802 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Tenda G1 Firmware. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Local Accounts (T1078.003); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-70802 is a hardcoded password vulnerability (CWE-259) in the Tenda G1V3.1si firmware version V16.01.7.8, specifically within the /etc_ro/shadow file. This flaw allows attackers to authenticate as the root user by exploiting the static credentials embedded in the system. The vulnerability was published on 2026-03-10 and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

Exploitation requires local access to the affected device, with low attack complexity, no privileges, and no user interaction needed. An attacker with such access—such as through physical proximity or prior network foothold—can use the hardcoded password to log in as root, achieving high-impact unauthorized access that compromises confidentiality, integrity, and availability of the router.

Advisories and further details are available in the vulnerability report at https://github.com/vuln-1/vuln/blob/main/Tenda/G1V3.1si_V16.01.7.8/report-1.md and on the Tenda website at https://www.tendacn.com/. No specific patch or mitigation steps are outlined in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.003 Local Accounts Stealth
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Hardcoded root password in /etc_ro/shadow directly supplies a valid local account (T1078.003) and constitutes unsecured credentials stored in a file (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70798Same vendor: Tenda
CVE-2026-1610Same vendor: Tenda
CVE-2026-30140Same vendor: Tenda
CVE-2021-47802Same vendor: Tenda
CVE-2025-25428Shared CWE-259
CVE-2025-29357Same vendor: Tenda
CVE-2026-3729Same vendor: Tenda
CVE-2025-1853Same vendor: Tenda
CVE-2025-7415Same vendor: Tenda
CVE-2026-5841Same vendor: Tenda

Affected Assets

tenda
g1 firmware
16.01.7.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates proper authenticator management including changing default content and protecting from disclosure, directly preventing hardcoded root passwords in the shadow file.

preventrespond

SI-2 requires identification, reporting, and correction of flaws like hardcoded passwords in firmware, mitigating the vulnerability through remediation.

prevent

CM-6 enforces secure baseline configuration settings, directly addressing insecure hardcoded credentials in files like /etc_ro/shadow.

References