CVE-2026-1610

High

Published: 29 January 2026

Published

29 January 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1610 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Tenda Ax12 Pro Firmware. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to External Remote Services (T1133) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 prohibits the use of hard-coded authenticators, directly addressing the CWE-259 and CWE-798 hard-coded credentials vulnerability in the Telnet service.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and remediation of flaws like hard-coded credentials in vulnerable firmware versions.

CM-7 Least Functionality partial match

prevent

CM-7 mandates implementing only essential system capabilities, allowing prohibition of unnecessary Telnet service to mitigate remote exploitation risk.

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Hard-coded credentials in exposed Telnet service directly enable unauthenticated remote access via external services and default/known accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A…

high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used.

Deeper analysisAI

CVE-2026-1610 is a vulnerability involving hard-coded credentials in the Telnet Service of Tenda AX12 Pro V2 running firmware version 16.03.49.24_cn. The issue affects an unknown functionality within this component, classified under CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials). It carries a CVSS v3.1 base score of 8.1 (High), reflecting network accessibility (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability was published on 2026-01-29.

Attackers can exploit this remotely by manipulating the Telnet Service using the hard-coded credentials, though it requires a high degree of complexity and is known to be difficult to execute. No authentication or user interaction is needed, allowing unauthenticated remote actors to potentially gain high-level access. Successful exploitation could result in unauthorized disclosure of sensitive data, modification of system resources, and disruption of service availability.

Advisories and details are documented on VulDB (ctiid.343378, id.343378, submit.740766) and a GitHub issue at QIU-DIE/CVE/issues/49, with the vendor site at tenda.com.cn potentially providing further guidance. No specific patches or mitigations are detailed in the available information.

The exploit has been made public and could be used, increasing the risk for exposed Tenda AX12 Pro V2 devices on the specified firmware.

Details

CWE(s): CWE-259 CWE-798

Affected Products

tenda

ax12 pro firmware

16.03.49.24_cn

CVEs Like This One

CVE-2025-70798Same vendor: Tenda

CVE-2025-70802Same vendor: Tenda

CVE-2024-46436Same vendor: Tenda

CVE-2024-46433Same vendor: Tenda

CVE-2024-46429Same vendor: Tenda

CVE-2026-24429Same vendor: Tenda

CVE-2026-24430Same vendor: Tenda

CVE-2025-1898Same vendor: Tenda

CVE-2025-15007Same vendor: Tenda

CVE-2026-38835Same vendor: Tenda

References

https://github.com/QIU-DIE/CVE/issues/49
Broken Link, Issue Tracking · cna@vuldb.com
https://vuldb.com/?ctiid.343378
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.343378
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.740766
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com