Tenda CH22 Path Traversal Vulnerability (CVE-2026-5962)
A path traversal vulnerability exists in Tenda CH22 version 1.0.0.6(468), affecting the R7WebsSecurityHandler function within the httpd component, allowing remote attackers to access sensitive files.
CVE-2026-5962 describes a path traversal vulnerability in Tenda CH22 router firmware version 1.0.0.6(468). The vulnerability resides within the R7WebsSecurityHandler function of the httpd component. This allows an unauthenticated, remote attacker to potentially read sensitive files on the device by manipulating the file paths in HTTP requests. The vulnerability was reported in April 2026, and public exploits are available, increasing the risk of exploitation. Routers are often exposed directly to the internet, making them prime targets for attackers looking to gain unauthorized access to internal networks or sensitive data.
Attack Chain
- The attacker identifies a Tenda CH22 router running firmware version 1.0.0.6(468) accessible over the network.
- The attacker crafts a malicious HTTP GET or POST request targeting the
httpdservice. - The request includes a manipulated URL containing path traversal sequences (e.g.,
../) within a filename parameter. - The
R7WebsSecurityHandlerfunction fails to properly sanitize the supplied path. - The
httpdservice processes the request and attempts to access the file specified by the attacker-controlled path. - Due to the path traversal vulnerability, the service accesses files outside the intended web directory.
- The contents of the accessed file are returned in the HTTP response to the attacker.
- The attacker obtains sensitive information, such as configuration files, credentials, or other system data.
Impact
Successful exploitation of this path traversal vulnerability allows an attacker to read arbitrary files on the Tenda CH22 router. This can lead to the disclosure of sensitive information such as router configuration details, Wi-Fi passwords, or credentials for other services. This information can be used for further attacks, such as gaining unauthorized access to the network behind the router, or using the router as a foothold for lateral movement. The number of affected devices and users is currently unknown.
Recommendation
- Monitor web server logs for suspicious URL requests containing path traversal sequences like
../targeting Tenda CH22 devices based on thewebservercategory rule provided below. - Implement a web application firewall (WAF) rule to block requests containing path traversal attempts to mitigate the vulnerability as it exploits the
httpdcomponent. - Apply any available patches or firmware updates from Tenda to address CVE-2026-5962, if available.
Detection coverage 2
Detect Path Traversal Attempts in Tenda CH22 via Web Logs
highDetects potential path traversal attempts targeting Tenda CH22 routers by monitoring web server logs for suspicious URL patterns.
Detect Path Traversal in HTTP Request Headers
mediumDetects path traversal attempts in HTTP request headers, potentially indicating exploitation of vulnerabilities like CVE-2026-5962.
Detection queries are available on the platform. Get full rules →