Tenda F451 Router Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Tenda F451 router firmware version 1.0.0.7. The vulnerability resides in the fromDhcpListClient function within the /goform/DhcpListClient component’s httpd service. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious page argument. This can lead to arbitrary code execution on the device. Given the public availability of the exploit (CVE-2026-6120), Tenda F451 routers are at immediate risk of compromise if not properly secured. This vulnerability poses a significant threat due to the widespread use of Tenda routers in home and small office environments.

Attack Chain

1. Attacker identifies a Tenda F451 router running vulnerable firmware version 1.0.0.7.
2. The attacker crafts a malicious HTTP GET or POST request targeting the /goform/DhcpListClient endpoint.
3. The crafted request includes a page argument with a string exceeding the buffer size allocated for it in the fromDhcpListClient function.
4. The httpd service on the router receives the malicious request and passes the page argument to the vulnerable function.
5. The fromDhcpListClient function attempts to copy the oversized page argument into a fixed-size buffer on the stack, causing a buffer overflow.
6. The overflow overwrites adjacent stack memory, including the return address of the function.
7. The attacker controls the overwritten return address, redirecting execution to attacker-controlled code or a ROP chain.
8. The attacker gains arbitrary code execution on the router, potentially leading to complete device compromise and network access.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda F451 router. This allows attackers to control the device, intercept network traffic, change DNS settings, inject malicious scripts into web pages served to connected devices, or use the router as a pivot point for further attacks within the network. This vulnerability affects all users of the Tenda F451 router running firmware version 1.0.0.7, potentially impacting thousands of devices globally. Given the high CVSS score of 8.8, the risk is substantial.

Recommendation

• Monitor web server logs for suspicious requests targeting the /goform/DhcpListClient endpoint, especially those with unusually long page parameters (refer to the rule Tenda F451 Suspicious URI Length).
• Inspect network traffic for abnormal patterns related to compromised routers (unusual DNS requests, connections to known malicious IPs).
• Implement rate limiting and input validation on web server endpoints where possible to mitigate buffer overflow attempts.
• Apply any available firmware updates from Tenda to patch CVE-2026-6120, although patches may not be available.
• Consider deploying network intrusion detection systems (NIDS) to identify and block exploitation attempts (refer to the Tenda F451 Buffer Overflow Attempt rule).