Tenda i9 Path Traversal (CVE-2026-7036) Exposes Networks to Remote Exploitation
The National Vulnerability Database has disclosed CVE-2026-7036, a high-severity path traversal vulnerability impacting Tenda i9 1.0.0.5(2204) wireless routers. Specifically, the flaw resides within the R7WebsSecurityHandlerfunction component of the HTTP Handler. This is not a theoretical bug; the National Vulnerability Database confirms that a public exploit is available and already being used in the wild.
This vulnerability allows for remote exploitation, meaning attackers don’t need local network access to trigger the flaw. A successful path traversal attack can lead to unauthorized access to arbitrary files on the affected device, potentially exposing sensitive configuration data, credentials, or even enabling further system compromise. The CVSS score of 7.3 (HIGH) underscores the significant risk.
For defenders, this is a critical alert. Unpatched Tenda i9 devices running the specified firmware version are sitting ducks. The attacker’s calculus is straightforward: find these devices, hit them with the publicly available exploit, and gain a foothold. This is a low-effort, high-reward attack for adversaries, making it a prime target for automated scanning and exploitation.
What This Means For You
- If your organization or home network uses a Tenda i9 router, specifically model 1.0.0.5(2204), you need to act immediately. This isn't a hypothetical threat; the exploit is public. Check your device firmware version and apply any available patches from Tenda without delay. Assume compromise if you cannot patch, and segment these devices off your critical networks.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Tenda i9 Path Traversal Attempt (CVE-2026-7036)
title: Tenda i9 Path Traversal Attempt (CVE-2026-7036)
id: scw-2026-04-26-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit the path traversal vulnerability (CVE-2026-7036) in Tenda i9 devices. The rule specifically looks for the double URL-encoded path traversal sequences in the URI and query parameters, which are characteristic of this exploit targeting the R7WebsSecurityHandlerfunction.
author: SCW Feed Engine (AI-generated)
date: 2026-04-26
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7036/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..'
cs-uri-query|contains:
- '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7036 | Path Traversal | Tenda i9 version 1.0.0.5(2204) |
| CVE-2026-7036 | Path Traversal | Component: HTTP Handler |
| CVE-2026-7036 | Path Traversal | Function: R7WebsSecurityHandlerfunction |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 26, 2026 at 15:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7039: tufantunc ssh-mcp Local Command Injection Exposed
CVE-2026-7039 — A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts....
CVE-2026-7037: Totolink A8000RU Critical OS Command Injection
CVE-2026-7037 — A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component...
Tenda FH1202 Router Vulnerability (CVE-2026-7035) Exposes Networks
CVE-2026-7035 — A vulnerability was determined in Tenda FH1202 1.2.0.14. This affects the function fromWrlclientSet of the file /goform/WrlclientSet of the component httpd. Executing a...