{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/f1202-1.2.0.20408/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-9431"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["F1202 1.2.0.20(408)"],"_cs_severities":["critical"],"_cs_tags":["cve","buffer-overflow","tenda","router","rce"],"_cs_type":"threat","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, CVE-2026-9431, has been identified in Tenda F1202 router firmware version 1.2.0.20(408). The vulnerability resides in the \u003ccode\u003efromPptpUserAdd\u003c/code\u003e function within the \u003ccode\u003e/goform/PptpUserAdd\u003c/code\u003e file. By manipulating the \u003ccode\u003eopttype\u003c/code\u003e argument, an attacker can trigger a buffer overflow, potentially leading to arbitrary code execution on the device. This vulnerability can be exploited remotely without authentication. Publicly available exploit code exists, increasing the risk of exploitation in the wild. This issue poses a significant threat to network security, potentially allowing attackers to gain control of vulnerable devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda F1202 router running firmware version 1.2.0.20(408).\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted HTTP POST request to the \u003ccode\u003e/goform/PptpUserAdd\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eopttype\u003c/code\u003e argument with a value exceeding the buffer size allocated in the \u003ccode\u003efromPptpUserAdd\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromPptpUserAdd\u003c/code\u003e function processes the malicious \u003ccode\u003eopttype\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003eopttype\u003c/code\u003e value overflows the stack buffer, overwriting adjacent memory locations.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the overflow to overwrite the return address on the stack, redirecting execution flow.\u003c/li\u003e\n\u003cli\u003eThe overwritten return address points to attacker-controlled code, which is injected into the overflow.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes with the privileges of the \u003ccode\u003efromPptpUserAdd\u003c/code\u003e function, allowing the attacker to execute arbitrary commands on the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9431 allows a remote, unauthenticated attacker to execute arbitrary code on the Tenda F1202 router. This can lead to complete device compromise, including modification of router settings, interception of network traffic, and use of the router as a botnet node. Given the publicly available exploit code, widespread exploitation is possible, potentially impacting numerous home and small business networks using the vulnerable Tenda F1202 model.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/PptpUserAdd\u003c/code\u003e with unusually long \u003ccode\u003eopttype\u003c/code\u003e values to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tenda F1202 Buffer Overflow Attempt\u003c/code\u003e to your SIEM to identify suspicious requests.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) rule to block requests with excessively long \u003ccode\u003eopttype\u003c/code\u003e values sent to \u003ccode\u003e/goform/PptpUserAdd\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T14:10:28Z","date_published":"2026-05-26T14:10:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tenda-buffer-overflow/","summary":"A remote stack-based buffer overflow vulnerability (CVE-2026-9431) exists in the fromPptpUserAdd function of the /goform/PptpUserAdd file in Tenda F1202 firmware version 1.2.0.20(408), allowing unauthenticated attackers to potentially execute arbitrary code.","title":"Tenda F1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-9431)","url":"https://feed.craftedsignal.io/briefs/2026-05-tenda-buffer-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-9430"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["F1202 1.2.0.20(408)"],"_cs_severities":["high"],"_cs_tags":["cve","buffer-overflow","router","tenda"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, identified as CVE-2026-9430, affects Tenda F1202 router version 1.2.0.20(408). The vulnerability lies within the \u003ccode\u003eformGstDhcpSetSer\u003c/code\u003e function in the \u003ccode\u003e/goform/GstDhcpSetSerof\u003c/code\u003e file. By manipulating the \u003ccode\u003edips\u003c/code\u003e argument, an attacker can trigger a buffer overflow. The vulnerability is remotely exploitable, and public exploits are available, increasing the risk of widespread exploitation. This poses a significant threat to users of the affected router model, potentially allowing attackers to gain unauthorized access and control over the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda F1202 router running firmware version 1.2.0.20(408) accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to the \u003ccode\u003e/goform/GstDhcpSetSerof\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP POST request includes a malicious payload within the \u003ccode\u003edips\u003c/code\u003e argument, designed to overflow the buffer on the stack.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformGstDhcpSetSer\u003c/code\u003e function processes the request without proper bounds checking on the \u003ccode\u003edips\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003edips\u003c/code\u003e value overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eformGstDhcpSetSer\u003c/code\u003e function returns, it jumps to the address overwritten by the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload executes arbitrary code on the router, potentially granting shell access or modifying router configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this access to pivot to other devices on the network, establish a persistent backdoor, or disrupt network services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9430 allows a remote attacker to execute arbitrary code on the Tenda F1202 router. This can lead to complete compromise of the device, potentially enabling attackers to steal sensitive information, modify router settings, or use the router as a node in a botnet. Given the public availability of exploit code, unpatched devices are at high risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-9430 on affected F1202 routers.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/GstDhcpSetSerof\u003c/code\u003e with unusually long \u003ccode\u003edips\u003c/code\u003e arguments, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (IDS) rules to detect exploit attempts targeting the \u003ccode\u003eformGstDhcpSetSer\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s web interface from the public internet to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T14:10:07Z","date_published":"2026-05-26T14:10:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9430-tenda-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-9430) exists in Tenda F1202 version 1.2.0.20(408) due to manipulation of the 'dips' argument in the 'formGstDhcpSetSer' function of '/goform/GstDhcpSetSerof', allowing remote code execution.","title":"Tenda F1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-9430)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9430-tenda-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-9429"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["F1202 1.2.0.20(408)"],"_cs_severities":["high"],"_cs_tags":["stack-based buffer overflow","router vulnerability","cve-2026-9429"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eCVE-2026-9429 is a stack-based buffer overflow vulnerability affecting Tenda F1202 devices running firmware version 1.2.0.20(408). The vulnerability resides in the \u003ccode\u003eformWrlExtraSet\u003c/code\u003e function within the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e file. A remote attacker can exploit this vulnerability by crafting a malicious request that manipulates the \u003ccode\u003edelno\u003c/code\u003e argument, leading to arbitrary code execution on the affected device. This is particularly concerning as a public exploit is available, increasing the likelihood of exploitation. Successful exploitation allows attackers to compromise the router and potentially gain access to the local network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda F1202 router running firmware version 1.2.0.20(408).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker includes the \u003ccode\u003edelno\u003c/code\u003e argument with a value exceeding the buffer\u0026rsquo;s capacity in the \u003ccode\u003eformWrlExtraSet\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eformWrlExtraSet\u003c/code\u003e function processes the \u003ccode\u003edelno\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe excessive data provided in the \u003ccode\u003edelno\u003c/code\u003e argument overwrites the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the overflowed buffer.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed, granting the attacker control over the device.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as modifying router settings, intercepting network traffic, or establishing a backdoor for persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9429 allows an attacker to gain complete control over the Tenda F1202 router. This can lead to a variety of malicious activities, including data theft, denial of service, and the establishment of a persistent foothold on the network. Given the availability of a public exploit, organizations and individuals using the affected Tenda F1202 router are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates from Tenda to address CVE-2026-9429.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e with abnormally long \u003ccode\u003edelno\u003c/code\u003e arguments, using the Sigma rule \u003ccode\u003eDetect Suspiciously Long delno Parameter in Tenda Routers\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) rules to detect and block exploitation attempts targeting CVE-2026-9429.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to the router\u0026rsquo;s management interface to trusted IP addresses only.\u003c/li\u003e\n\u003cli\u003eEnable logging on the Tenda router and forward logs to a SIEM for centralized monitoring and analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T14:08:19Z","date_published":"2026-05-26T14:08:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tenda-stack-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-9429) exists in Tenda F1202 version 1.2.0.20(408) within the formWrlExtraSet function of the /goform/WrlExtraSet file, allowing a remote attacker to execute arbitrary code by manipulating the delno argument; a public exploit is available.","title":"Tenda F1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-9429)","url":"https://feed.craftedsignal.io/briefs/2026-05-tenda-stack-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — F1202 1.2.0.20(408)","version":"https://jsonfeed.org/version/1.1"}