| Title | Tenda Tenda, Wireless N300 Easy setup Router Model F3, Firmware V603 (March 10, 2020) Exposure of Sensitive System Information Due to Uncleared Debug |
|---|
| Description | Sensitive information exposure in Tenda WiFi Repeater firmware V603 allows an attacker with physical access to obtain credentials via an unauthenticated UART debug interface.
The device exposes a debug CLI over UART which allows execution of nvram commands without authentication. Using commands such as "nvram show" or "nvram get", an attacker can retrieve configuration data including WiFi WPA2 passphrases in plaintext.
Additionally, the device outputs sensitive information in cleartext during the boot process over the UART console.
This vulnerability results from insufficient protection of sensitive data and lack of access control on the debug interface.
Proof of Concept:
- During boot sequence, the debug interface exposes WPA2 network credentials in plain text.
- The UART debug CLI allows execution of nvram commands without authentication which can be exploited to expose network credentials (including the upstream network when router is used in repeating mode).
Example:
1) Sensitive information is printed during boot via UART console.
2)
nvram show
→ outputs configuration including plaintext credentials
nvram get wl0.1_wpa_psk
→ returns WiFi passphrase in plaintext
Vendor is notified and currently under 90 days disclosure. |
|---|
| User | ZEssaidi (UID 96801) |
|---|
| Submission | 03/26/2026 00:10 (16 days ago) |
|---|
| Moderation | 04/09/2026 11:54 (14 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 242952 [D-Link DSL-2750U N300 ADSL2+/SL-2730U N150 ADSL2+ UART Interface access control] |
|---|
| Points | 0 |
|---|