Tenda HG3 v2.0 Stack-Based Buffer Overflow in formUploadConfig

A stack-based buffer overflow vulnerability has been identified in Tenda HG3 version 2.0. The vulnerability exists within the formUploadConfig function of the /boaform/formIPv6Routing file. A remote attacker can exploit this by manipulating the destNet argument, potentially leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-7151, has a publicly available exploit, increasing the risk of exploitation. This poses a significant threat to users of Tenda HG3 v2.0 routers, potentially allowing attackers to gain unauthorized access and control over the device. The CVSS v3.1 score is rated as 8.8 (HIGH).

Attack Chain

1. Attacker identifies a Tenda HG3 v2.0 router with default or known credentials, or no authentication at all.
2. The attacker sends a crafted HTTP POST request to /boaform/formIPv6Routing.
3. The request targets the formUploadConfig function.
4. The destNet argument within the HTTP POST data is manipulated with a string exceeding the buffer size.
5. The formUploadConfig function processes the oversized destNet argument without proper bounds checking.
6. This causes a stack-based buffer overflow, overwriting adjacent memory regions on the stack.
7. The attacker gains arbitrary code execution on the device by overwriting the return address or other critical data on the stack.
8. The attacker can then leverage this to gain full control of the device, potentially modifying settings, injecting malware, or using it as part of a botnet.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda HG3 v2.0 router. This could lead to complete compromise of the device, allowing the attacker to monitor network traffic, change router settings, or use the device as a launchpad for further attacks against other devices on the network. Given the potential for widespread exploitation due to the publicly available exploit, a large number of Tenda HG3 v2.0 users are at risk.

Recommendation

• Monitor web server logs for unusual POST requests to /boaform/formIPv6Routing with excessively long destNet parameters to detect potential exploit attempts (see example Sigma rule below).
• Implement rate limiting for requests to /boaform/formIPv6Routing to mitigate brute-force exploitation attempts.
• Apply available patches or firmware updates from Tenda to address CVE-2026-7151 on vulnerable HG3 2.0 devices.
• Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting the destNet parameter in /boaform/formIPv6Routing.