Primary

Context

Tenda i12 Path Traversal Vulnerability Allowing Whitelist Bypass

Vulnerability

A critical path traversal vulnerability has been identified in the Tenda i12 router, specifically in version 1.0.0.11(3862). The issue arises within the HTTP Handler component, where the R7WebsSecurityHandler function improperly validates URL paths. This flaw allows unauthenticated remote attackers to exploit directory traversal sequences to access sensitive files, bypassing authentication and potentially leading to unauthorized administrative access.

Impact

Exploitation of this vulnerability allows for unauthenticated access to sensitive resources and administrative interfaces on the affected router.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the router's IP address, targeting a URL that begins with a whitelisted prefix, such as '/public/'. Include directory traversal sequences, like '../', to escape the restricted directory and access sensitive files, such as 'system_upgrade.asp'.

Added: Apr 9, 2026, 6:19 AM

Updated: Apr 9, 2026, 6:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

5.5

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

5.5

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda i12 Path Traversal Vulnerability Allowing Whitelist Bypass

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating