CVE-2026-4252
Published: 16 March 2026
Summary
CVE-2026-4252 is a critical-severity Improper Authentication (CWE-287) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires proper identification and authentication for non-organizational users, directly mitigating the IP address-based authentication bypass exploited by remote unauthenticated attackers.
Enforces approved access authorizations, preventing unauthorized access resulting from the flawed IPv6 handler's reliance on IP addresses for authentication.
Mandates validation of information inputs like IPv6 data, countering manipulation in the check_is_ipv6 function that enables authentication bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated attackers to bypass authentication on a public-facing router management interface via improper IP address trust, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The…
more
exploit is publicly available and might be used.
Deeper analysisAI
CVE-2026-4252 is a critical authentication vulnerability affecting the Tenda AC8 router on firmware version 16.03.50.11. The issue resides in the check_is_ipv6 function of the IPv6 Handler component, where the system improperly relies on IP addresses for authentication, enabling bypass of security controls. Published on 2026-03-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 287 (Improper Authentication) and 291 (Trusting Network Address).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating IPv6 handling, adversaries can bypass authentication to gain unauthorized access to the device, potentially achieving high impacts on confidentiality, integrity, and availability, such as executing arbitrary commands or altering configurations.
A proof-of-concept exploit demonstrating the IPv6 authentication bypass is publicly available on GitHub (https://github.com/digitalandrew/tenda_ac8_v5/blob/main/poc_ipv6_auth_bypass.py). VulDB provides detailed advisories (https://vuldb.com/?ctiid.351210, https://vuldb.com/?id.351210, https://vuldb.com/?submit.771759), and the vendor's site is at https://www.tenda.com.cn/. No specific patches or mitigations are detailed in the references.
The exploit is publicly available and might be used in the wild, increasing the risk for exposed Tenda AC8 devices.
Details
- CWE(s)