{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tenda-ac5-router/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tenda AC5 router"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4904","buffer-overflow","tenda","router","webserver"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-4904, has been discovered in Tenda AC5 router firmware version 15.03.06.47. The vulnerability resides in the \u003ccode\u003eformSetCfm\u003c/code\u003e function within the \u003ccode\u003e/goform/setcfm\u003c/code\u003e endpoint, specifically affecting the POST request handler. This flaw allows a remote, unauthenticated attacker to potentially execute arbitrary code on the device by sending a crafted POST request with a malicious value for the \u003ccode\u003efuncpara1\u003c/code\u003e argument. Given the ease of exploitation and the potential for complete system compromise, this vulnerability poses a significant risk to affected devices. Public disclosure of the exploit code increases the likelihood of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda AC5 router running firmware version 15.03.06.47.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/setcfm\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003efuncpara1\u003c/code\u003e argument with a string exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe Tenda AC5 router receives the crafted POST request and passes the \u003ccode\u003efuncpara1\u003c/code\u003e argument to the \u003ccode\u003eformSetCfm\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to insufficient bounds checking, the oversized \u003ccode\u003efuncpara1\u003c/code\u003e string overflows the allocated buffer on the stack.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address with an address pointing to malicious code or a return-oriented programming (ROP) chain.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eformSetCfm\u003c/code\u003e function returns, execution jumps to the attacker-controlled address, resulting in arbitrary code execution on the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4904 grants the attacker complete control over the Tenda AC5 router. This can lead to a variety of malicious activities, including but not limited to: complete device takeover, denial of service, network traffic interception, DNS hijacking, and the installation of persistent backdoors. Given the widespread use of Tenda routers in homes and small businesses, a large number of devices are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tenda AC5 Buffer Overflow Attempt\u003c/code\u003e to identify exploitation attempts against the vulnerable \u003ccode\u003e/goform/setcfm\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eApply any available patches or firmware updates released by Tenda to address CVE-2026-4904.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting the \u003ccode\u003e/goform/setcfm\u003c/code\u003e endpoint with unusually long \u003ccode\u003efuncpara1\u003c/code\u003e parameters (see IOC context in the rule description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tenda-ac5-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-4904) exists in the Tenda AC5 router version 15.03.06.47, allowing remote attackers to execute arbitrary code by manipulating the 'funcpara1' argument in the '/goform/setcfm' endpoint.","title":"Tenda AC5 Router Stack-Based Buffer Overflow (CVE-2026-4904)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-ac5-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - Tenda AC5 Router","version":"https://jsonfeed.org/version/1.1"}