<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>BE12 Pro 16.03.66.23 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/be12-pro-16.03.66.23/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 13:20:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/be12-pro-16.03.66.23/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tenda BE12 Pro Remote Code Execution Vulnerability (CVE-2026-15691)</title><link>https://feed.craftedsignal.io/briefs/2026-07-tenda-be12-pro-rce/</link><pubDate>Tue, 14 Jul 2026 13:20:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-tenda-be12-pro-rce/</guid><description>A critical remote stack-based buffer overflow vulnerability (CVE-2026-15691) has been discovered in Tenda BE12 Pro firmware 16.03.66.23, affecting the `fromSafeClientFilter` function and allowing remote attackers to achieve arbitrary code execution by manipulating the `page` argument, with a public exploit available.</description><content:encoded><![CDATA[<p>A significant security vulnerability, CVE-2026-15691, has been identified in the Tenda BE12 Pro router, specifically impacting firmware version 16.03.66.23. The flaw is a stack-based buffer overflow located within the <code>fromSafeClientFilter</code> function, which is accessed via the <code>/goform/SafeClientFilter</code> endpoint. Attackers can remotely trigger this vulnerability by sending a crafted request that manipulates the <code>page</code> argument, leading to arbitrary code execution on the device. This vulnerability has a CVSS v3.1 Base Score of 8.8, indicating high severity. Crucially, an exploit for this vulnerability has been released to the public, increasing the immediate threat level as it can be used for active attacks by various threat actors to compromise affected routers and potentially gain access to internal networks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker identifies a Tenda BE12 Pro router running vulnerable firmware version 16.03.66.23, accessible from the internet.</li>
<li><strong>Vulnerability Discovery</strong>: The attacker leverages publicly available information or exploit code for CVE-2026-15691, targeting the <code>/goform/SafeClientFilter</code> endpoint.</li>
<li><strong>Crafted HTTP Request</strong>: The attacker constructs and sends a malicious HTTP request (GET or POST) to the <code>/goform/SafeClientFilter</code> URI on the target router.</li>
<li><strong>Argument Manipulation</strong>: The crafted request includes a specially formed or excessively long value for the <code>page</code> argument, designed to exceed the allocated buffer size.</li>
<li><strong>Buffer Overflow Trigger</strong>: The router's <code>fromSafeClientFilter</code> function attempts to process the manipulated <code>page</code> argument, resulting in a stack-based buffer overflow.</li>
<li><strong>Arbitrary Code Execution</strong>: The overflow is exploited to overwrite the stack with attacker-controlled data, enabling the injection and execution of arbitrary code with the privileges of the affected process.</li>
<li><strong>Device Compromise</strong>: Upon successful code execution, the attacker gains full control over the router, which can then be used for network reconnaissance, data exfiltration, or as a pivot point for further attacks on the internal network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-15691 allows for remote code execution on the affected Tenda BE12 Pro router. This means an attacker can gain full control over the device. The impact includes potential unauthorized access to the router's configuration, modification of network settings (such as DNS servers or firewall rules), redirection of network traffic, or the establishment of a persistent backdoor. Compromised routers can serve as a beachhead for attackers to infiltrate the internal network, intercept sensitive data, or launch further attacks against connected devices and services, posing a significant risk to the confidentiality, integrity, and availability of network resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-15691 immediately</strong>: Update Tenda BE12 Pro routers to a patched firmware version as soon as one becomes available from the vendor.</li>
<li><strong>Implement network segmentation</strong>: Isolate network infrastructure devices, including routers, into dedicated network segments to limit potential lateral movement if compromised.</li>
<li><strong>Restrict administrative access</strong>: Ensure that Tenda BE12 Pro routers are not directly exposed to the internet via their administrative interfaces; place them behind a firewall and restrict management access to trusted IP ranges.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>remote-code-execution</category><category>buffer-overflow</category><category>firmware</category><category>router</category><category>network-device</category><category>rce</category></item></channel></rss>