Tenda AC6 Stack-Based Buffer Overflow Vulnerability

A critical stack-based buffer overflow vulnerability has been identified in Tenda AC6 router firmware version 15.03.05.16. The vulnerability, tracked as CVE-2026-4960, resides within the fromWizardHandle function of the /goform/WizardHandle component, which handles POST requests. A remote attacker can exploit this vulnerability by sending a crafted POST request with a manipulated WANT or WANS argument, leading to arbitrary code execution on the device. Public exploit code is available, increasing the risk of widespread exploitation. This vulnerability poses a significant threat, potentially allowing attackers to gain complete control over vulnerable routers and compromise connected networks.

Attack Chain

1. Attacker identifies a Tenda AC6 router running firmware version 15.03.05.16.
2. The attacker crafts a malicious POST request targeting the /goform/WizardHandle endpoint.
3. Within the POST request, the attacker manipulates the WANT or WANS argument to inject a payload exceeding the buffer size.
4. The router processes the POST request, passing the attacker-controlled input to the vulnerable fromWizardHandle function.
5. The overflow occurs when the fromWizardHandle function copies the attacker-supplied data into a fixed-size buffer on the stack without proper bounds checking.
6. The injected payload overwrites adjacent memory locations on the stack, including the return address.
7. When the fromWizardHandle function returns, it jumps to the attacker-controlled address.
8. The attacker gains arbitrary code execution on the router, potentially leading to complete system compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control of the affected Tenda AC6 router. This can lead to a variety of malicious outcomes, including network hijacking, DNS poisoning, interception of network traffic, deployment of malware, and the creation of botnets. Given the widespread use of Tenda routers in home and small business networks, a large number of devices are potentially vulnerable. The CVSS v3.1 score of 8.8 reflects the high severity of this vulnerability.

Recommendation

• Apply any available firmware updates from Tenda to patch CVE-2026-4960.
• Monitor web server logs for suspicious POST requests to /goform/WizardHandle with abnormally long WANT or WANS parameters using the Sigma rule provided below.
• Implement network intrusion detection system (NIDS) rules to detect exploit attempts targeting the /goform/WizardHandle endpoint.
• Restrict access to the router’s web interface from the public internet where possible to reduce the attack surface.