CVE-2026-5526
Published: 04 April 2026
Summary
CVE-2026-5526 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Tenda 4G03 Pro Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved access authorizations, directly countering the improper access controls in the Tenda router's /bin/httpd component.
AC-6 enforces least privilege principles, addressing the CWE-266 incorrect privilege assignment that enables remote exploitation of this vulnerability.
SI-2 requires timely identification and correction of flaws like CVE-2026-5526, preventing exploitation especially with public exploits available.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper access control issue in the public-facing /bin/httpd web server component of a router, directly enabling remote unauthenticated exploitation of a public-facing application.
NVD Description
A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attack may be performed from remote. The…
more
exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-5526 is a vulnerability involving improper access controls in an unknown functionality of the /bin/httpd component within Tenda 4G03 Pro routers, affecting versions up to 1.0, 1.1, 04.03.01.53, and associated with the default IP 192.168.0.1. Published on 2026-04-04, it is linked to CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control), earning a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity.
The vulnerability enables remote exploitation over the network with low attack complexity, requiring no privileges or user interaction. Attackers can manipulate the affected functionality to bypass access controls, potentially achieving low-level impacts on confidentiality, integrity, and availability. An exploit for this issue has been publicly released, increasing the risk of real-world attacks.
Advisories detailing the vulnerability are available on VulDB at https://vuldb.com/vuln/355279, https://vuldb.com/vuln/355279/cti, and a submission page at https://vuldb.com/submit/782052, along with the vendor site at https://www.tenda.com.cn/. Security practitioners should review these sources for any recommended mitigations or patches.
Details
- CWE(s)