CVE-2025-27129 — Authentication Bypass Using an Alternate Path or Channel in AC6 V5.0

CWE-288 — Authentication Bypass Using an Alternate Path or Channel CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

9.8CRITICALNVD

GHSA5.0

EPSS

0.2%

top 62.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tenda AC6 V5.0 Tenda AC6 Firmware

Timeline

PublishedAug 20

Latest updateFeb 24

Description

An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5tenda/ac6_v5.0V02.03.01.110

▶NVDtenda/ac6_firmware02.03.01.110

🔴Vulnerability Details

GHSA

Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution↗2026-02-24

▶

CVEList

CVE-2025-27129: An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 V5↗2025-08-20

▶

GHSA

GHSA-ph9v-qvxr-mh9x: An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 V5↗2025-08-20

▶