{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ac21/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","ac21","buffer_overflow","cve-2026-4565","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, CVE-2026-4565, affects Tenda AC21 routers running firmware version 16.03.08.16. The flaw resides in the \u003ccode\u003eformSetQosBand\u003c/code\u003e function within the \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e file. Attackers can exploit this vulnerability by crafting malicious argument lists in HTTP requests, leading to arbitrary code execution on the device. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation allows attackers to gain complete control over the router, potentially compromising connected devices and network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda AC21 router with firmware version 16.03.08.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a specially crafted argument list designed to overflow the buffer in the \u003ccode\u003eformSetQosBand\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router processes the HTTP request and passes the malicious arguments to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformSetQosBand\u003c/code\u003e function attempts to copy the oversized argument list into a fixed-size buffer, triggering a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow and injects malicious code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with elevated privileges, granting the attacker complete control over the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Tenda AC21 router. This can lead to a variety of malicious outcomes, including: complete device compromise, modification of router settings, interception of network traffic, deployment of malware to connected devices, and use of the router as a botnet node. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploit could impact thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e with unusually long or malformed arguments (see rule: \u0026ldquo;Detect Suspicious POST Requests to SetNetControlList\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP POST requests to prevent attackers from quickly exploiting the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda AC21 Buffer Overflow Attempt\u0026rdquo; to identify exploitation attempts based on specific patterns in HTTP requests.\u003c/li\u003e\n\u003cli\u003eConsider blocking traffic from known exploit sources, if available.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched firmware version as soon as it becomes available from the vendor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T01:16:43Z","date_published":"2026-03-23T01:16:43Z","id":"/briefs/2026-03-tenda-ac21-buffer-overflow/","summary":"A buffer overflow vulnerability exists in Tenda AC21 firmware version 16.03.08.16, allowing remote attackers to execute arbitrary code by manipulating arguments to the formSetQosBand function.","title":"Tenda AC21 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ac21-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Ac21","version":"https://jsonfeed.org/version/1.1"}