F1202 1.2.0.20(408) — CraftedSignal Threat Feed

Tenda F1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-9431)

hello@craftedsignal.io — Tue, 26 May 2026 14:10:28 +0000

A stack-based buffer overflow vulnerability, CVE-2026-9431, has been identified in Tenda F1202 router firmware version 1.2.0.20(408). The vulnerability resides in the fromPptpUserAdd function within the /goform/PptpUserAdd file. By manipulating the opttype argument, an attacker can trigger a buffer overflow, potentially leading to arbitrary code execution on the device. This vulnerability can be exploited remotely without authentication. Publicly available exploit code exists, increasing the risk of exploitation in the wild. This issue poses a significant threat to network security, potentially allowing attackers to gain control of vulnerable devices.

Attack Chain

Attacker identifies a Tenda F1202 router running firmware version 1.2.0.20(408).
Attacker sends a crafted HTTP POST request to the /goform/PptpUserAdd endpoint.
The POST request includes the opttype argument with a value exceeding the buffer size allocated in the fromPptpUserAdd function.
The fromPptpUserAdd function processes the malicious opttype argument without proper bounds checking.
The oversized opttype value overflows the stack buffer, overwriting adjacent memory locations.
The attacker crafts the overflow to overwrite the return address on the stack, redirecting execution flow.
The overwritten return address points to attacker-controlled code, which is injected into the overflow.
The attacker-controlled code executes with the privileges of the fromPptpUserAdd function, allowing the attacker to execute arbitrary commands on the router.

Impact

Successful exploitation of CVE-2026-9431 allows a remote, unauthenticated attacker to execute arbitrary code on the Tenda F1202 router. This can lead to complete device compromise, including modification of router settings, interception of network traffic, and use of the router as a botnet node. Given the publicly available exploit code, widespread exploitation is possible, potentially impacting numerous home and small business networks using the vulnerable Tenda F1202 model.

Recommendation

Monitor web server logs for suspicious POST requests to /goform/PptpUserAdd with unusually long opttype values to detect potential exploitation attempts.
Deploy the Sigma rule Detect Tenda F1202 Buffer Overflow Attempt to your SIEM to identify suspicious requests.
Consider deploying a web application firewall (WAF) rule to block requests with excessively long opttype values sent to /goform/PptpUserAdd.

Tenda F1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-9430)

hello@craftedsignal.io — Tue, 26 May 2026 14:10:07 +0000

A stack-based buffer overflow vulnerability, identified as CVE-2026-9430, affects Tenda F1202 router version 1.2.0.20(408). The vulnerability lies within the formGstDhcpSetSer function in the /goform/GstDhcpSetSerof file. By manipulating the dips argument, an attacker can trigger a buffer overflow. The vulnerability is remotely exploitable, and public exploits are available, increasing the risk of widespread exploitation. This poses a significant threat to users of the affected router model, potentially allowing attackers to gain unauthorized access and control over the device.

Attack Chain

The attacker identifies a Tenda F1202 router running firmware version 1.2.0.20(408) accessible over the network.
The attacker sends a crafted HTTP POST request to the /goform/GstDhcpSetSerof endpoint.
The HTTP POST request includes a malicious payload within the dips argument, designed to overflow the buffer on the stack.
The formGstDhcpSetSer function processes the request without proper bounds checking on the dips argument.
The oversized dips value overwrites adjacent memory on the stack, including the return address.
When the formGstDhcpSetSer function returns, it jumps to the address overwritten by the attacker’s payload.
The attacker’s payload executes arbitrary code on the router, potentially granting shell access or modifying router configuration.
The attacker can then use this access to pivot to other devices on the network, establish a persistent backdoor, or disrupt network services.

Impact

Successful exploitation of CVE-2026-9430 allows a remote attacker to execute arbitrary code on the Tenda F1202 router. This can lead to complete compromise of the device, potentially enabling attackers to steal sensitive information, modify router settings, or use the router as a node in a botnet. Given the public availability of exploit code, unpatched devices are at high risk of compromise.

Recommendation

Apply any available firmware updates from Tenda to patch CVE-2026-9430 on affected F1202 routers.
Monitor web server logs for suspicious POST requests to /goform/GstDhcpSetSerof with unusually long dips arguments, using the provided Sigma rule.
Implement network intrusion detection system (IDS) rules to detect exploit attempts targeting the formGstDhcpSetSer function.
Restrict access to the router’s web interface from the public internet to reduce the attack surface.

Tenda F1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-9429)

hello@craftedsignal.io — Tue, 26 May 2026 14:08:19 +0000

CVE-2026-9429 is a stack-based buffer overflow vulnerability affecting Tenda F1202 devices running firmware version 1.2.0.20(408). The vulnerability resides in the formWrlExtraSet function within the /goform/WrlExtraSet file. A remote attacker can exploit this vulnerability by crafting a malicious request that manipulates the delno argument, leading to arbitrary code execution on the affected device. This is particularly concerning as a public exploit is available, increasing the likelihood of exploitation. Successful exploitation allows attackers to compromise the router and potentially gain access to the local network.

Attack Chain

The attacker identifies a Tenda F1202 router running firmware version 1.2.0.20(408).
The attacker crafts a malicious HTTP request targeting the /goform/WrlExtraSet endpoint.
Within the HTTP request, the attacker includes the delno argument with a value exceeding the buffer’s capacity in the formWrlExtraSet function.
The vulnerable formWrlExtraSet function processes the delno argument without proper bounds checking.
The excessive data provided in the delno argument overwrites the stack.
The attacker injects malicious code into the overflowed buffer.
The injected code is executed, granting the attacker control over the device.
The attacker can then perform actions such as modifying router settings, intercepting network traffic, or establishing a backdoor for persistent access.

Impact

Successful exploitation of CVE-2026-9429 allows an attacker to gain complete control over the Tenda F1202 router. This can lead to a variety of malicious activities, including data theft, denial of service, and the establishment of a persistent foothold on the network. Given the availability of a public exploit, organizations and individuals using the affected Tenda F1202 router are at significant risk.

Recommendation

Apply available patches or firmware updates from Tenda to address CVE-2026-9429.
Monitor web server logs for suspicious POST requests to /goform/WrlExtraSet with abnormally long delno arguments, using the Sigma rule Detect Suspiciously Long delno Parameter in Tenda Routers.
Implement network intrusion detection systems (IDS) rules to detect and block exploitation attempts targeting CVE-2026-9429.
Review and restrict access to the router’s management interface to trusted IP addresses only.
Enable logging on the Tenda router and forward logs to a SIEM for centralized monitoring and analysis.