<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CH22 1.0.0.1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/ch22-1.0.0.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 08:17:56 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/ch22-1.0.0.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Critical Buffer Overflow in Tenda CH22 Leads to Remote Code Execution (CVE-2026-15543)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15543-tenda-rce/</link><pubDate>Mon, 13 Jul 2026 08:17:56 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15543-tenda-rce/</guid><description>A critical buffer overflow vulnerability, CVE-2026-15543, exists in the Tenda CH22 1.0.0.1 firmware's `formCertListInfo` function, allowing unauthenticated remote attackers to achieve arbitrary code execution by manipulating the 'Name' argument, with a public exploit available.</description><content:encoded><![CDATA[<p>A severe buffer overflow vulnerability, identified as CVE-2026-15543, has been discovered in the firmware of Tenda CH22 1.0.0.1 devices. This flaw specifically impacts the <code>formCertListInfo</code> function located within the <code>/goform/CertListInfo</code> file. By crafting a malicious input to the 'Name' argument, a remote attacker can trigger a buffer overflow, which can lead to arbitrary code execution on the vulnerable device. This vulnerability does not require authentication and can be exploited remotely, posing a significant risk to affected systems. The existence of a publicly available exploit escalates the urgency for immediate patching, as it significantly lowers the barrier for attackers to compromise these devices. Defenders must prioritize patching to prevent unauthorized control and potential network compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated remote attacker identifies a Tenda CH22 1.0.0.1 device accessible over the network.</li>
<li>The attacker crafts a specially designed HTTP request targeting the <code>/goform/CertListInfo</code> endpoint on the vulnerable device.</li>
<li>The request includes a malformed or excessively long value in the 'Name' argument, intended to exceed the allocated buffer size.</li>
<li>Upon processing this request, the <code>formCertListInfo</code> function attempts to handle the oversized 'Name' argument, resulting in a buffer overflow.</li>
<li>The buffer overflow corrupts adjacent memory, allowing the attacker to inject and execute arbitrary code on the device.</li>
<li>Successful exploitation grants the attacker full control over the compromised Tenda CH22 device, potentially enabling further network penetration or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15543 results in full remote code execution on the affected Tenda CH22 1.0.0.1 device. This allows attackers to gain complete control, potentially altering device configurations, installing malicious firmware, creating backdoors, or using the device as a pivot point for further attacks within the connected network. Given that the vulnerability is remotely exploitable and a public exploit is available, many devices could be at high risk of compromise by a wide range of threat actors. Organizations using Tenda CH22 devices must act swiftly to prevent unauthorized access and potential data breaches or service disruptions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch Tenda CH22 devices to a version where CVE-2026-15543 is remediated.</li>
<li>Monitor network traffic for unusual connections originating from or destined for Tenda CH22 devices, potentially indicating exploitation attempts for CVE-2026-15543.</li>
<li>If patching is not immediately feasible, restrict network access to Tenda CH22 devices from untrusted networks to mitigate remote exploitation attempts for CVE-2026-15543.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cve</category><category>vulnerability</category><category>buffer-overflow</category><category>remote-code-execution</category><category>network-device</category></item></channel></rss>