<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tenda AC5 Router - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/tenda-ac5-router/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/tenda-ac5-router/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tenda AC5 Router Stack-Based Buffer Overflow (CVE-2026-4904)</title><link>https://feed.craftedsignal.io/briefs/2024-01-tenda-ac5-overflow/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-tenda-ac5-overflow/</guid><description>A stack-based buffer overflow vulnerability (CVE-2026-4904) exists in the Tenda AC5 router version 15.03.06.47, allowing remote attackers to execute arbitrary code by manipulating the 'funcpara1' argument in the '/goform/setcfm' endpoint.</description><content:encoded><![CDATA[<p>A critical stack-based buffer overflow vulnerability, identified as CVE-2026-4904, has been discovered in Tenda AC5 router firmware version 15.03.06.47. The vulnerability resides in the <code>formSetCfm</code> function within the <code>/goform/setcfm</code> endpoint, specifically affecting the POST request handler. This flaw allows a remote, unauthenticated attacker to potentially execute arbitrary code on the device by sending a crafted POST request with a malicious value for the <code>funcpara1</code> argument. Given the ease of exploitation and the potential for complete system compromise, this vulnerability poses a significant risk to affected devices. Public disclosure of the exploit code increases the likelihood of widespread exploitation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable Tenda AC5 router running firmware version 15.03.06.47.</li>
<li>The attacker crafts a malicious HTTP POST request targeting the <code>/goform/setcfm</code> endpoint.</li>
<li>Within the POST request, the attacker includes the <code>funcpara1</code> argument with a string exceeding the expected buffer size.</li>
<li>The Tenda AC5 router receives the crafted POST request and passes the <code>funcpara1</code> argument to the <code>formSetCfm</code> function.</li>
<li>Due to insufficient bounds checking, the oversized <code>funcpara1</code> string overflows the allocated buffer on the stack.</li>
<li>The buffer overflow overwrites adjacent memory on the stack, including the return address.</li>
<li>The attacker carefully crafts the overflow to overwrite the return address with an address pointing to malicious code or a return-oriented programming (ROP) chain.</li>
<li>When the <code>formSetCfm</code> function returns, execution jumps to the attacker-controlled address, resulting in arbitrary code execution on the router.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-4904 grants the attacker complete control over the Tenda AC5 router. This can lead to a variety of malicious activities, including but not limited to: complete device takeover, denial of service, network traffic interception, DNS hijacking, and the installation of persistent backdoors. Given the widespread use of Tenda routers in homes and small businesses, a large number of devices are potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Tenda AC5 Buffer Overflow Attempt</code> to identify exploitation attempts against the vulnerable <code>/goform/setcfm</code> endpoint.</li>
<li>Apply any available patches or firmware updates released by Tenda to address CVE-2026-4904.</li>
<li>Monitor web server logs for suspicious POST requests targeting the <code>/goform/setcfm</code> endpoint with unusually long <code>funcpara1</code> parameters (see IOC context in the rule description).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cve-2026-4904</category><category>buffer-overflow</category><category>tenda</category><category>router</category><category>webserver</category></item></channel></rss>