CVE-2020-35391

CRITICAL EXPLOITED IN THE WILD

Tenda N300 F3 12.01.01.48 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2020-35391 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 4 public exploits from researchers including @h454nsec, 4d000, H454NSec.

AI-analyzed exploit summary This exploit targets CVE-2020-35391, an information disclosure vulnerability in Tenda N300 F3 routers. It sends a malformed HTTP request to download the router's configuration file, which contains the admin password in base64-encoded format. The script decodes and extracts the password, then saves the configuration and credentials to files.

Description

Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior.

Exploits (4)

exploitdb WORKING POC

by @h454nsec · pythonremotehardware

https://www.exploit-db.com/exploits/51317

View Code ZIP pw:eip

This exploit targets CVE-2020-35391, an information disclosure vulnerability in Tenda N300 F3 routers. It sends a malformed HTTP request to download the router's configuration file, which contains the admin password in base64-encoded format. The script decodes and extracts the password, then saves the configuration and credentials to files.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Tenda N300 F3 (Firmware 12.01.01.48 and others)

No auth needed

Prerequisites: Network access to the target router · Router must be vulnerable (CVE-2020-35391)

MITRE ATT&CK

T1592 - Gather Victim Host Information T1119 - Automated Collection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by 4d000 · infoleak

https://github.com/4d000/Tenda-F3-V4

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2020-35391, an unauthenticated file download vulnerability in Tenda F3 routers (v3/v4). The exploit allows downloading sensitive files such as configuration, system logs, and flash dumps, and extracts admin credentials from the configuration file.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Tenda F3 Router v3/v4

No auth needed

Prerequisites: Network access to the target router · Python 3.x environment

MITRE ATT&CK

T1082 - System Information Discovery T1005 - Data from Local System

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by H454NSec · infoleak

https://github.com/H454NSec/CVE-2020-35391

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2020-35391, targeting Tenda F3 routers. It leverages malformed HTTP headers to bypass authentication and dump configuration files, including credentials.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Tenda F3 routers (all versions, confirmed on F3v3.0 firmware)

No auth needed

Prerequisites: Network access to the target router · Python 3 with requests and mmh3 libraries

MITRE ATT&CK

T1110 - Brute Force T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by dumitory-dev · infoleak

https://github.com/dumitory-dev/CVE-2020-35391-POC

View Code ZIP pw:eip

This repository contains a functional Python PoC for CVE-2020-35391, an authentication bypass vulnerability in Tenda N300 routers. The exploit sends a malformed HTTP request to retrieve sensitive configuration data, including the base64-encoded password, from the router's configuration file.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Tenda N300 F3 12.01.01.48

No auth needed

Prerequisites: Network access to the vulnerable Tenda N300 router

MITRE ATT&CK

T1110 - Brute Force T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://medium.com/%40signalhilltech/tenda-n300-authentication-bypass-via-malformed-http-request-header-5b8744ca685e

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171773/Tenda-N300-F3-12.01.01.48-Header-Processing.html

Scores

CVSS v3 9.6

EPSS 0.3500

EPSS Percentile 98.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

VulnCheck KEV 2024-09-18

InTheWild.io 2024-09-18

CWE

CWE-425

Status published

Products (1)

tenda/f3_firmware 12.01.01.48

Published Jan 01, 2021

Tracked Since Feb 18, 2026