CVE-2026-11493: Tenda AC15 Samba Weak Password Requirements Vulnerability
Tenda AC15 routers running firmware version 15.03.05.19 contain a vulnerability in how they configure Samba file-sharing settings. An attacker with access to the local network can manipulate the Samba configuration file to weaken password requirements, making it easier to gain unauthorized access to shared files and network resources. While a public exploit exists, successful exploitation requires technical knowledge and specific network conditions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.0 MEDIUM · CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-521
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in Tenda AC15 15.03.05.19. The impacted element is an unknown function of the file /etc_ro/smb.conf of the component Samba. Executing a manipulation can lead to weak password requirements. The attack is only possible within the local network. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11493 involves improper password policy configuration in the Samba component of Tenda AC15 firmware 15.03.05.19. The vulnerability stems from weak controls over the /etc_ro/smb.conf configuration file, allowing local network attackers to modify password requirements. The attack chain requires high complexity and direct network access, but does not require authentication or user interaction. The CVSS 3.1 score of 5.0 (MEDIUM severity) reflects limited impact scope and the requirement for adjacent network proximity.
Business impact
For organizations deploying Tenda AC15 routers as network appliances or file servers, this vulnerability reduces the effectiveness of password-based access controls. An attacker could lower password complexity thresholds, enabling brute-force attacks against Samba shares. The impact is contained to SMB/CIFS file-sharing functionality rather than system-wide compromise, but credentials obtained through weakened password policies could enable lateral movement within the network segment served by the affected device.
Affected systems
Tenda AC15 routers running firmware version 15.03.05.19 are confirmed affected. The vulnerability is specific to this firmware release; other Tenda AC15 versions and other Tenda router models should be verified separately against Tenda's advisory documentation. Systems that have disabled Samba or do not rely on the SMB protocol are not exposed to this particular threat.
Exploitability
Public exploits are available, but practical exploitation remains difficult. The attack requires local network access—an attacker must be on the same network segment as the Tenda device. Additionally, the high complexity rating reflects the technical knowledge needed to manipulate the Samba configuration file and successfully weaken password policies. While not requiring pre-authentication, the attack is not a simple plug-and-play exploit; it demands understanding of Samba configuration syntax and local network positioning.
Remediation
Organizations should update Tenda AC15 firmware to the latest stable release beyond version 15.03.05.19. Tenda should be consulted for the patched firmware version and availability. Until patching is possible, restrict local network access to the router using network segmentation, disable Samba if not required, or implement access controls limiting which devices can communicate with the router's SMB services.
Patch guidance
Check Tenda's official support page and product advisory for firmware versions released after 15.03.05.19 that address CVE-2026-11493. Verify the patched version is compatible with your AC15 deployment before upgrading. Firmware updates should be applied during maintenance windows, as they typically require a device reboot. Document the current firmware version before and after patching for compliance records.
Detection guidance
Monitor network traffic for unusual SMB protocol activity on the affected router, particularly commands that modify the smb.conf file or alter password policy settings. Check the router's configuration audit logs for unauthorized changes to Samba parameters. Network intrusion detection systems should flag attempts to access or modify /etc_ro/smb.conf via SMB or SSH. Baseline the current Samba configuration on deployed AC15 devices and alert on deviations.
Why prioritize this
While the CVSS score is MEDIUM (5.0) and exploitation is difficult, the public availability of working exploits and the potential for password-policy manipulation justify prioritized attention. The vulnerability is most urgent for organizations relying on Tenda AC15 routers in environments with untrusted or semi-trusted local networks. Enterprises with strict network segmentation or those not using Samba may defer action, but should still plan patching as part of regular firmware maintenance cycles.
Risk score, explained
The score of 5.0 reflects moderate risk due to limited attack scope (adjacent network only), high attack complexity, and limited impact (confidentiality, integrity, and availability affected but not comprehensively). The CVSS vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L indicates that while the attack is locally feasible without authentication, the high complexity and bounded scope prevent a higher rating. Public exploit availability elevates practical risk beyond the base score.
Frequently asked questions
Does this vulnerability affect all Tenda AC15 routers?
No. Only Tenda AC15 devices running firmware version 15.03.05.19 are confirmed affected. Other firmware versions should be verified against Tenda's official advisory. If you are unsure of your device's firmware version, access the router's web interface and check the System Settings or About section.
Can this vulnerability be exploited remotely over the internet?
No. The vulnerability requires local network access. An attacker must be connected to the same network segment as the router or able to reach it through internal network paths. Remote exploitation from the internet is not possible due to the Adjacent Network (AV:A) requirement in the CVSS vector.
What should I do if I cannot patch immediately?
Implement network segmentation to restrict which devices can access the router's SMB services. Disable Samba if it is not actively used. Monitor SMB traffic and configuration logs for unauthorized changes. In high-security environments, isolate the affected router to a dedicated management network until patching is feasible.
How does weakening password requirements increase risk?
By lowering password complexity or length requirements, attackers can conduct faster brute-force attacks against shared folders and file services. Credentials obtained this way could be reused elsewhere on the network if users employ the same passwords across systems, potentially enabling lateral movement.
This analysis is based on available technical data as of the vulnerability publication date and should not be considered legal or compliance advice. Patch availability, vendor timelines, and affected versions may change; consult Tenda's official security advisory for authoritative information. Organizations must conduct their own risk assessment based on their network environment and exposure. SEC.co provides this information for informational purposes and makes no warranty regarding its accuracy or completeness. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2016-20064MEDIUMWP Vault 0.8.6.6 Arbitrary File Read via Directory Traversal
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk