Attack Chain

1. The attacker identifies a Tenda 4G300 router running the vulnerable firmware version US_4G300V1.0Mt_V1.01.42_CN_TDC01.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/SafeMacFilter endpoint.
3. The crafted request includes the page argument with a payload exceeding the buffer size allocated for it within the sub_427C3C function.
4. The router processes the HTTP request, passing the oversized page argument to the vulnerable function.
5. The sub_427C3C function attempts to write the oversized data into a stack-based buffer, causing a buffer overflow.
6. The buffer overflow overwrites adjacent memory on the stack, including the return address.
7. The attacker redirects execution flow to a malicious code payload injected into the request or elsewhere in memory.
8. The injected code executes with the privileges of the router process, potentially allowing the attacker to gain full control of the device.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda 4G300 router. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the router as a launching point for further attacks against other devices on the network or the internet. Given the widespread use of these routers in homes and small businesses, a successful attack could impact a large number of users.

Recommendation

• Monitor web server logs for unusual POST requests to /goform/SafeMacFilter with abnormally long page parameters. Use the provided Sigma rule to detect suspicious activity.
• Implement rate limiting on the /goform/SafeMacFilter endpoint to mitigate potential brute-force exploitation attempts.
• Apply any available patches or firmware updates released by Tenda to address CVE-2026-7470.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.