Tenda F3 Plaintext Credential Exposure in Configuration Download Severity High Date 2/23/2026 Affected Product Tenda F3 Wireless Router firmware V12.01.01.55_multi vulnerability Details The configuration download response includes the router password and administrative password in plaintext. The endpoint omits appropriate Cache-Control directives, allowing the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data. References Tenda Product Webpage Credit Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc. Vulnerability Description Sensitive information exposure vulnerability in the configuration download functionality. The endpoint returns credentials in plaintext and lacks proper cache control.