HIGHCVE-2026-5962CVSS 7.3

CVE-2026-5962: Path Traversal in Tenda CH22

Platform

tenda

Component

tenda

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-5962 identifies a Path Traversal vulnerability within the Tenda CH22 router, specifically impacting firmware versions from 1.0.0 through 1.0.0.6(468). This flaw allows attackers to potentially access sensitive files and directories on the device through remote exploitation. A fix is available from the vendor, and immediate action is recommended to mitigate the risk.

Impact and Attack Scenarios

The Path Traversal vulnerability in Tenda CH22 allows an attacker to bypass intended access restrictions and retrieve arbitrary files from the router's file system. This could include configuration files, system logs, or even user credentials stored on the device. Successful exploitation could lead to unauthorized access to the router's internal workings, potentially enabling further attacks such as command execution or data exfiltration. The public availability of an exploit significantly increases the risk of widespread exploitation.

Exploitation Context

This vulnerability is considered actively exploitable due to the public availability of a proof-of-concept. It was disclosed on 2026-04-09 and added to the NVD database. The EPSS score is likely to be medium or high given the ease of exploitation and the potential impact. No KEV listing is currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.06% (19% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impact

Affected Software

Componenttenda

VendorTenda

Affected rangeFixed in

1.0.0.6(468) – 1.0.0.6(468)1.0.1

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2026-04-09
Published2026-04-09
EPSS updated2026-04-17

Unpatched — 45 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-5962 is to upgrade the Tenda CH22 firmware to a patched version as soon as it becomes available. Until the upgrade is possible, implement temporary mitigations such as configuring a Web Application Firewall (WAF) to filter requests containing path traversal sequences (e.g., '../'). Restrict access to the router's web interface from untrusted networks. Regularly monitor router logs for suspicious activity and unusual file access attempts.

How to fix

Actualice el firmware del dispositivo Tenda CH22 a una versión corregida que solucione la vulnerabilidad de path traversal. Consulte el sitio web oficial de Tenda o contacte con el soporte técnico para obtener la última versión del firmware.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5962 — Path Traversal in Tenda CH22?

CVE-2026-5962 is a Path Traversal vulnerability affecting Tenda CH22 routers, allowing attackers to access sensitive files remotely.

Am I affected by CVE-2026-5962 in Tenda CH22?

If you are using a Tenda CH22 router with firmware versions 1.0.0–1.0.0.6(468), you are potentially affected by this vulnerability.

How do I fix CVE-2026-5962 in Tenda CH22?

Upgrade your Tenda CH22 router to the latest firmware version as soon as it's available. Until then, implement WAF rules to restrict file access.

Is CVE-2026-5962 being actively exploited?

Yes, a public proof-of-concept exists, indicating active exploitation is likely.

Where can I find the official Tenda advisory for CVE-2026-5962?

Please refer to the Tenda security advisories page for updates and official information regarding CVE-2026-5962.