Skip to content
Threat Feed
high advisory

Tenda F1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-9430)

A stack-based buffer overflow vulnerability (CVE-2026-9430) exists in Tenda F1202 version 1.2.0.20(408) due to manipulation of the 'dips' argument in the 'formGstDhcpSetSer' function of '/goform/GstDhcpSetSerof', allowing remote code execution.

A stack-based buffer overflow vulnerability, identified as CVE-2026-9430, affects Tenda F1202 router version 1.2.0.20(408). The vulnerability lies within the formGstDhcpSetSer function in the /goform/GstDhcpSetSerof file. By manipulating the dips argument, an attacker can trigger a buffer overflow. The vulnerability is remotely exploitable, and public exploits are available, increasing the risk of widespread exploitation. This poses a significant threat to users of the affected router model, potentially allowing attackers to gain unauthorized access and control over the device.

Attack Chain

  1. The attacker identifies a Tenda F1202 router running firmware version 1.2.0.20(408) accessible over the network.
  2. The attacker sends a crafted HTTP POST request to the /goform/GstDhcpSetSerof endpoint.
  3. The HTTP POST request includes a malicious payload within the dips argument, designed to overflow the buffer on the stack.
  4. The formGstDhcpSetSer function processes the request without proper bounds checking on the dips argument.
  5. The oversized dips value overwrites adjacent memory on the stack, including the return address.
  6. When the formGstDhcpSetSer function returns, it jumps to the address overwritten by the attacker’s payload.
  7. The attacker’s payload executes arbitrary code on the router, potentially granting shell access or modifying router configuration.
  8. The attacker can then use this access to pivot to other devices on the network, establish a persistent backdoor, or disrupt network services.

Impact

Successful exploitation of CVE-2026-9430 allows a remote attacker to execute arbitrary code on the Tenda F1202 router. This can lead to complete compromise of the device, potentially enabling attackers to steal sensitive information, modify router settings, or use the router as a node in a botnet. Given the public availability of exploit code, unpatched devices are at high risk of compromise.

Recommendation

  • Apply any available firmware updates from Tenda to patch CVE-2026-9430 on affected F1202 routers.
  • Monitor web server logs for suspicious POST requests to /goform/GstDhcpSetSerof with unusually long dips arguments, using the provided Sigma rule.
  • Implement network intrusion detection system (IDS) rules to detect exploit attempts targeting the formGstDhcpSetSer function.
  • Restrict access to the router’s web interface from the public internet to reduce the attack surface.

Detection coverage 2

Detect CVE-2026-9430 Exploitation Attempt - Suspicious POST to /goform/GstDhcpSetSerof

high

Detects CVE-2026-9430 exploitation attempts by monitoring for suspicious POST requests to the /goform/GstDhcpSetSerof endpoint with a long 'dips' parameter, indicative of a buffer overflow attempt.

sigma tactics: initial_access techniques: T1189 sources: webserver

Detect CVE-2026-9430 Exploitation Attempt - HTTP POST to /goform/GstDhcpSetSerof with Shell Metacharacters in dips

high

Detects CVE-2026-9430 exploitation — HTTP POST to /goform/GstDhcpSetSerof with shell metacharacters in the dips parameter indicating command injection attempt

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →