Security Desk | CVE-2026-7036 | path-traversal tenda-i9 remote-exploitation http-handler

Your Tenda Router Has a Hidden Door — And Hackers Already Have the Key

Imagine a stranger being able to walk through the walls of your home, read every document on your desk, and leave without ever knocking. That is essentially what a newly disclosed vulnerability in a popular Tenda home and small-business router allows an attacker to do — and the step-by-step instructions for doing it are already posted online for anyone to use.

Who Is Affected, and Why It Matters

The device in question is the Tenda i9, a wireless router widely sold across North America, Europe, and Southeast Asia through Amazon, Newegg, and regional electronics chains. The vulnerable firmware version — 1.0.0.5 (build 2204) — ships as the factory default on a large portion of units currently in homes, small offices, dental practices, real estate agencies, and anywhere else that bought a budget-friendly router without a dedicated IT team watching over it.

Tenda consistently ranks among the top five best-selling router brands in several global markets. While precise install-base figures for the i9 model are not publicly disclosed, Tenda's broader market share suggests tens of thousands of these specific devices are internet-facing right now. For every one of them still running the default firmware, the door described below is standing open.

⚠️ Quick Check Log into your router admin panel (usually 192.168.0.1 or 192.168.1.1) and look for the firmware version under System > Firmware. If you see 1.0.0.5(2204), keep reading — the fix section at the bottom is for you.

What an Attacker Can Actually Do to You

Every router has a small built-in web server — it's how you access that admin login page from your browser. The Tenda i9's web server uses a gatekeeper function whose job is to check whether a visitor is allowed to see a requested page or file. Think of it like a bouncer at a club checking IDs. The problem is that this particular bouncer can be tricked with a simple disguise.

By crafting a web address with a specific sequence of characters — dots, slashes, and encoded text — an attacker can tell the router's web server to step outside the rooms it's supposed to show visitors and go fetch files from completely different parts of the router's internal storage. This technique is called path traversal, and it's one of the oldest tricks in the hacker playbook precisely because it keeps working when developers don't anticipate it. No password is needed. No special software is required on the attacker's end beyond a web browser or a free command-line tool. The exploit code is already publicly posted.

What's in those off-limits files? Potentially everything that makes your network tick: saved Wi-Fi passwords, the credentials used to manage your internet connection, internal network maps, and configuration data that could give an attacker a persistent foothold to redirect your traffic, intercept logins to your bank or email, or pivot deeper into other devices on your network — your laptop, your smart TV, your security cameras. For a small business, that list extends to client data, point-of-sale systems, and anything else that trusts the local network.

🔬 Technical Anchor — For the Researchers in the Room CVE-2026-7036 | CVSS v3: 7.3 (HIGH)

The vulnerability resides in the R7WebsSecurityHandler function within the HTTP Handler component of Tenda i9 firmware 1.0.0.5(2204). The function fails to adequately sanitize user-supplied URL path segments before resolving them against the server's document root, enabling classic CWE-22 (Path Traversal / Directory Traversal) exploitation. Because the HTTP handler operates pre-authentication on incoming requests, no session token or credential is required to trigger the traversal. The attack surface is the WAN or LAN interface depending on remote management configuration. A public proof-of-concept exploit has been confirmed available, elevating the practical risk beyond what the base CVSS score alone conveys.

How This Was Found — and What We Know About Exploitation

The vulnerability was filed under CVE-2026-7036 and carries a CVSS score of 7.3 out of 10, rated HIGH severity. The disclosure follows a pattern increasingly common with budget networking hardware: a researcher examines the device firmware, finds that a core security check can be bypassed, documents it, and publishes the finding along with a working proof-of-concept to pressure the vendor into issuing a patch.

As of publication, no active exploitation in the wild has been confirmed by threat intelligence services. However, that distinction carries an asterisk the size of a billboard: the exploit is already publicly available. In past cases involving similar router vulnerabilities — including Tenda's own CVE-2023-37713 and the TP-Link saga of 2022–2023 — public exploit code preceded documented mass exploitation by days to weeks, not months. Botnets like Mirai and its descendants are specifically engineered to scan the entire internet for exactly this class of vulnerability within hours of public disclosure. The window to act is measured in days.

"A public PoC on a pre-auth path traversal in a consumer router is basically a countdown timer." — Common refrain among network security responders familiar with the router exploit ecosystem.

There is currently no public statement from Tenda confirming awareness of the vulnerability or a timeline for a patched firmware release.

🛡️ What To Do Right Now — 3 Specific Steps

Update your firmware immediately. Log into your Tenda i9 admin panel at 192.168.0.1 (default credentials are usually admin / admin — change those too). Navigate to Advanced > System Tools > Firmware Upgrade and check for any version newer than 1.0.0.5(2204). If no update is available through the panel, visit Tenda's official firmware download page and search for the i9 manually. Install anything newer than build 2204 as soon as it appears.
Disable remote management right now. If you don't actively manage your router from outside your home or office network, there is no reason for the admin interface to be reachable from the internet. In the Tenda i9 interface, go to Advanced > Remote Web Management and ensure it is set to Disabled. This does not fully eliminate risk from an attacker already on your local network, but it dramatically shrinks the attack surface for the most common scenario — opportunistic internet-wide scanning.
Consider replacing the device if no patch is issued within 30 days. Budget router vendors have an uneven track record of patching older models. If Tenda has not released a firmware version that explicitly addresses CVE-2026-7036 by the time you read this, treat the i9 running 1.0.0.5(2204) as end-of-life for security purposes. Replacement options with stronger patch histories include the TP-Link Archer AX55 (firmware updated through the Tether app), the Asus RT-AX58U, or any router running open-source firmware such as OpenWrt, which receives community patches rapidly and independently of the original manufacturer.

This article will be updated as Tenda responds or if active exploitation is confirmed. If you are a security researcher with additional technical details about this vulnerability, contact us through our secure tip line.