CVE-2026-1610: Tenda AX12 Pro Auth Bypass Vulnerability

CVE-2026-1610 Overview

A hard-coded credentials vulnerability has been discovered in the Tenda AX12 Pro V2 router, specifically affecting firmware version 16.03.49.24_cn. The vulnerability exists within the Telnet Service component, where embedded credentials allow unauthorized remote access to the device. While the attack requires high complexity to execute, the exploit has been made public and could be leveraged by attackers targeting vulnerable network infrastructure.

Critical Impact

Successful exploitation of this hard-coded credentials vulnerability could allow remote attackers to gain unauthorized administrative access to the router, potentially compromising the entire network segment and enabling further lateral movement or data interception.

Affected Products

• Tenda AX12 Pro V2 Firmware Version 16.03.49.24_cn
• Tenda AX12 Pro V2 devices with Telnet Service enabled

Discovery Timeline

• 2026-01-29 - CVE-2026-1610 published to NVD
• 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-1610

Vulnerability Analysis

This vulnerability is classified as CWE-259 (Use of Hard-coded Password), a common security weakness found in embedded devices and network equipment. The Tenda AX12 Pro V2 router contains hard-coded credentials within its Telnet Service component that cannot be changed by end users. This design flaw creates a persistent backdoor that remains exploitable across all devices running the affected firmware version.

The network-accessible nature of this vulnerability means attackers can potentially exploit it remotely without requiring local access to the target device. However, the exploitation is described as requiring high complexity, which may involve specific network conditions, timing requirements, or the need to bypass additional security measures to successfully leverage the hard-coded credentials.

Root Cause

The root cause of this vulnerability stems from improper credential management practices during the firmware development process. The Telnet Service was shipped with static, embedded credentials that are identical across all devices running the affected firmware version. This practice, while sometimes used for manufacturing testing or debugging purposes, creates significant security risks when devices are deployed in production environments without these credentials being removed or disabled.

Attack Vector

The attack vector for CVE-2026-1610 is network-based, targeting the Telnet Service exposed on the Tenda AX12 Pro V2 router. An attacker with network access to the device's Telnet port (typically port 23) could attempt to authenticate using the hard-coded credentials. Successful authentication would grant the attacker shell access to the router's underlying operating system, enabling full administrative control over the device.

The exploitation process involves identifying exposed Tenda AX12 Pro V2 devices, connecting to the Telnet Service, and authenticating with the discovered hard-coded credentials. Technical details regarding the specific credentials and exploitation methodology have been documented in the GitHub CVE Issue associated with this vulnerability.

Detection Methods for CVE-2026-1610

Indicators of Compromise

• Unexpected Telnet connections to port 23 on Tenda AX12 Pro V2 devices from external or unauthorized IP addresses
• Successful authentication attempts to the Telnet Service outside normal administrative activities
• Configuration changes to the router that were not initiated by authorized administrators
• Unusual outbound traffic patterns from the router indicating potential data exfiltration or command-and-control communication

Detection Strategies

• Monitor network traffic for Telnet (port 23) connection attempts targeting Tenda AX12 Pro V2 devices
• Implement intrusion detection system (IDS) rules to alert on successful Telnet authentications to vulnerable devices
• Deploy network segmentation to isolate IoT and network infrastructure devices, making unauthorized access attempts more visible
• Review router logs for authentication events and administrative shell access patterns

Monitoring Recommendations

• Enable comprehensive logging on network boundary devices to capture all Telnet traffic
• Configure SIEM alerting for any Telnet connections to known Tenda AX12 Pro V2 devices
• Establish baseline behavior for router administrative access and alert on deviations
• Conduct periodic vulnerability scans to identify devices running affected firmware versions

How to Mitigate CVE-2026-1610

Immediate Actions Required

• Disable the Telnet Service on all affected Tenda AX12 Pro V2 devices immediately
• Implement network access controls (firewall rules, ACLs) to block external access to port 23 on vulnerable devices
• Segment affected devices into isolated network zones with restricted access
• Monitor for firmware updates from Tenda that address this vulnerability
• Consider replacing affected devices if no vendor patch becomes available

Patch Information

At the time of publication, no official patch has been released by Tenda to address CVE-2026-1610. Organizations should monitor the Tenda official website for security advisories and firmware updates. Additional technical information is available through VulDB and the associated GitHub CVE Issue.

Workarounds

• Disable Telnet Service entirely and use alternative secure management protocols if available
• Implement strict firewall rules to prevent any external access to the router's management interfaces
• Use a VPN or jump host for administrative access, ensuring management traffic is encrypted and authenticated
• Deploy network monitoring to detect and alert on any attempts to access the Telnet Service

# Example firewall rule to block Telnet access (adjust for your environment)
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A FORWARD -p tcp --dport 23 -d <ROUTER_IP> -j DROP