Buffer-Overflow — CraftedSignal Threat Feed

Qualcomm PLC FW Buffer Overflow via Incorrect Authorization (CVE-2026-25293)

hello@craftedsignal.io — Mon, 04 May 2026 17:16:22 +0000

CVE-2026-25293 describes a buffer overflow vulnerability affecting Qualcomm’s Programmable Logic Controller Firmware (PLC FW). The root cause is an incorrect authorization mechanism within the firmware. This flaw could allow an attacker to potentially overwrite memory buffers, leading to arbitrary code execution or denial of service. The vulnerability was disclosed in Qualcomm’s May 2026 security bulletin. Successful exploitation of this vulnerability could allow unauthorized modification of PLC configurations, potentially impacting industrial control systems and automation processes. The affected PLC FW is used in a range of industrial applications, increasing the scope and severity of this vulnerability.

Attack Chain

Attacker identifies a vulnerable PLC FW device on the network.
The attacker leverages CVE-2026-25293 to bypass authorization checks.
A crafted network packet is sent to the PLC FW, exploiting the buffer overflow.
The overflowed buffer overwrites critical memory regions.
Attacker gains control of PLC FW execution flow.
Malicious code is injected into the PLC memory space.
The injected code executes, potentially modifying PLC logic or disrupting operations.
The attacker achieves unauthorized control over the PLC, leading to disruption, data manipulation, or system compromise.

Impact

Successful exploitation of CVE-2026-25293 could allow attackers to gain complete control over Programmable Logic Controllers (PLCs). This could lead to significant disruptions in industrial control systems, manufacturing processes, and other automated systems. The vulnerability affects Qualcomm PLC FW, potentially impacting a large number of devices across various sectors. The high CVSS score of 9.6 reflects the critical impact of this vulnerability, including the potential for complete system compromise and denial of service.

Recommendation

Apply the security patches provided by Qualcomm as detailed in their May 2026 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html) to remediate CVE-2026-25293.
Deploy the Sigma rule “Detect Suspicious Network Traffic to PLC Devices” to identify potential exploitation attempts.
Implement strict network segmentation to limit the attack surface and prevent lateral movement to PLC devices.
Monitor network traffic for unexpected patterns or unauthorized access attempts to PLC devices.

Totolink N300RH Buffer Overflow Vulnerability in setWanConfig

hello@craftedsignal.io — Mon, 04 May 2026 10:16:01 +0000

A buffer overflow vulnerability has been identified in Totolink N300RH router version 3.2.4-B20220812. The vulnerability resides in the setWanConfig function within the /cgi-bin/cstecgi.cgi file, which handles POST requests. An attacker can exploit this vulnerability by manipulating the priDns argument in a crafted POST request. The vulnerability allows for remote exploitation, meaning an attacker does not need local access to the device. Public exploits for this vulnerability are already available, increasing the risk of exploitation. This vulnerability was published on 2026-05-04.

Attack Chain

The attacker identifies a vulnerable Totolink N300RH router running firmware version 3.2.4-B20220812.
The attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
Within the POST request, the attacker includes the priDns argument with a value exceeding the buffer size.
The setWanConfig function processes the priDns argument without proper bounds checking.
The oversized priDns value overwrites adjacent memory on the stack, potentially including control flow data.
The attacker gains control of the program execution flow by overwriting the return address.
The attacker executes arbitrary code on the router, potentially gaining a shell.
The attacker could then use the compromised router to perform lateral movement, exfiltrate data, or establish a persistent backdoor.

Impact

Successful exploitation of this buffer overflow vulnerability can lead to complete compromise of the Totolink N300RH router. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the router as a pivot point to attack other devices on the network. Given that public exploits are available, a wide range of attackers could potentially exploit this vulnerability. The CVSS v3.1 base score is 8.8 (HIGH).

Recommendation

Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with abnormally long priDns values to detect potential exploitation attempts using the provided Sigma rule.
Implement network intrusion detection system (NIDS) rules to detect and block malicious POST requests targeting /cgi-bin/cstecgi.cgi.
Contact Totolink for a security patch or firmware update to address CVE-2026-7749.

Totolink N300RH Buffer Overflow Vulnerability (CVE-2026-7750)

hello@craftedsignal.io — Mon, 04 May 2026 10:16:01 +0000

A buffer overflow vulnerability, identified as CVE-2026-7750, affects Totolink N300RH router version 3.2.4-B20220812. The vulnerability resides in the setMacFilterRules function within the /cgi-bin/cstecgi.cgi file, which handles POST requests. Attackers can exploit this flaw by sending a specially crafted POST request with an overly long mac_address parameter, triggering a buffer overflow. Successful exploitation allows for arbitrary code execution on the device. The vulnerability is remotely exploitable, and a public exploit is available, increasing the risk of widespread attacks. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise of affected devices.

Attack Chain

The attacker identifies a vulnerable Totolink N300RH router running firmware version 3.2.4-B20220812.
The attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
Within the POST request, the attacker includes the mac_address parameter, injecting a string longer than the buffer allocated for it.
The setMacFilterRules function processes the POST request without proper bounds checking on the mac_address argument.
The overly long mac_address value overflows the buffer, overwriting adjacent memory regions.
The attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow to attacker-controlled code.
The injected code executes with the privileges of the web server, allowing the attacker to execute arbitrary commands.
The attacker gains complete control over the router, potentially using it for further malicious activities such as network pivoting, data exfiltration, or denial-of-service attacks.

Impact

Successful exploitation of CVE-2026-7750 allows a remote attacker to execute arbitrary code on the vulnerable Totolink N300RH device. This could lead to a complete compromise of the router, allowing the attacker to control network traffic, steal sensitive information, or use the router as a bot in a larger attack. Given the public availability of the exploit, a large number of unpatched devices could be vulnerable to automated attacks, potentially impacting thousands of users.

Recommendation

Apply available patches or firmware updates provided by Totolink to address CVE-2026-7750.
Implement network intrusion detection system (IDS) rules to detect and block suspicious POST requests targeting the /cgi-bin/cstecgi.cgi endpoint with excessively long mac_address parameters.
Deploy the Sigma rules in this brief to your SIEM to detect exploitation attempts.
Monitor web server logs for unusual POST requests to /cgi-bin/cstecgi.cgi, focusing on requests with large mac_address values.

GoBGP AIGP Attribute Parser Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 06:16:02 +0000

A buffer overflow vulnerability has been identified in the osrg GoBGP software, specifically affecting versions up to 4.3.0. The vulnerability resides in the PathAttributeAigp.DecodeFromBytes function of the pkg/packet/bgp/bgp.go file, which is part of the AIGP Attribute Parser component. An attacker can remotely trigger this vulnerability by sending a crafted BGP message containing a malicious AIGP attribute. Successful exploitation could lead to arbitrary code execution on the affected system. GoBGP is an open source BGP implementation. Organizations using GoBGP for routing purposes should upgrade to version 4.4.0 or apply the provided patch (51ad1ada06cb41ce47b7066799981816f50b7ced) to mitigate this risk.

Attack Chain

Attacker identifies a GoBGP instance running a vulnerable version (<= 4.3.0).
Attacker crafts a malicious BGP update message containing a specially crafted AIGP attribute.
The crafted AIGP attribute is designed to trigger a buffer overflow in the PathAttributeAigp.DecodeFromBytes function.
The attacker sends the malicious BGP update message to the vulnerable GoBGP instance over TCP port 179.
The GoBGP instance receives the message and attempts to parse the AIGP attribute using the vulnerable function.
The PathAttributeAigp.DecodeFromBytes function fails to properly validate the size of the input data, leading to a buffer overflow.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or executable code.
The attacker leverages the memory corruption to execute arbitrary code on the GoBGP instance, gaining control of the system.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected GoBGP instance. This can lead to a complete compromise of the routing infrastructure, allowing the attacker to intercept, modify, or disrupt network traffic. In service provider environments, this could affect a large number of customers and cause significant network outages. Given the CVSS v3.1 score of 7.3, this is considered a high-severity vulnerability.

Recommendation

Upgrade to GoBGP version 4.4.0 to remediate the vulnerability as mentioned in the overview.
Apply the patch 51ad1ada06cb41ce47b7066799981816f50b7ced to the affected component to mitigate the vulnerability if upgrading is not immediately possible.
Monitor network traffic for BGP update messages with unusually large or malformed AIGP attributes, using a network intrusion detection system.
Deploy the Sigma rule detecting connections to port 179 from unusual sources to identify potentially malicious hosts attempting to exploit the vulnerability.
Review and harden BGP configuration to limit accepted peer connections to trusted sources only.

Totolink WA300 Buffer Overflow Vulnerability (CVE-2026-7719)

hello@craftedsignal.io — Mon, 04 May 2026 02:15:58 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7719, has been discovered in Totolink WA300 version 5.2cu.7112_B20190227. This vulnerability resides within the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the POST Request Handler component. The vulnerability is triggered by manipulating the http_host argument in a POST request. The exploit is publicly available, increasing the risk of widespread exploitation. This vulnerability allows for remote code execution, potentially granting attackers full control over the affected device. The affected version was released in February 2019. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise.

Attack Chain

The attacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.
The attacker crafts a malicious HTTP POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
The crafted POST request includes a specially crafted http_host argument designed to overflow the buffer in the loginauth function.
The vulnerable loginauth function processes the http_host argument without proper bounds checking.
The oversized http_host argument overwrites adjacent memory regions, including the return address on the stack.
Upon completion of the loginauth function, the overwritten return address is used, redirecting execution to attacker-controlled code.
The attacker-controlled code executes with elevated privileges, allowing the attacker to execute arbitrary commands on the device.
The attacker gains complete control of the device, potentially using it for malicious purposes such as botnet participation, data theft, or further network penetration.

Impact

Successful exploitation of CVE-2026-7719 allows a remote attacker to execute arbitrary code on the vulnerable Totolink WA300 device. This can lead to complete device compromise, allowing the attacker to steal sensitive information, use the device as a botnet node, or pivot to other devices on the network. Given the public availability of the exploit, widespread exploitation is possible, potentially affecting a large number of home and small business networks using the vulnerable device.

Recommendation

Deploy the Sigma rule Detect Totolink WA300 HTTP Host Buffer Overflow Attempt to identify exploitation attempts in web server logs.
Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually long http_host headers.
Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting CVE-2026-7719.
Upgrade to a patched version of the firmware or replace the affected device to remediate the vulnerability.

Totolink WA300 Buffer Overflow Vulnerability in UploadCustomModule

hello@craftedsignal.io — Mon, 04 May 2026 01:16:05 +0000

A buffer overflow vulnerability has been identified in Totolink WA300 wireless router, specifically version 5.2cu.7112_B20190227. The vulnerability resides within the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file, a component of the POST Request Handler. The identified vulnerability allows a remote attacker to cause a buffer overflow through manipulation of the File argument within a crafted POST request. Public proof-of-concept exploit code is available, increasing the likelihood of exploitation. This vulnerability poses a significant risk, as successful exploitation could lead to arbitrary code execution, potentially allowing attackers to fully compromise affected devices. Defenders should prioritize detection and mitigation strategies to prevent exploitation.

Attack Chain

Attacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.
Attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
The POST request includes a File argument with a payload exceeding the buffer size allocated for the UploadCustomModule function.
The UploadCustomModule function processes the POST request without proper bounds checking on the File argument.
The oversized File argument overwrites adjacent memory regions, including potentially critical program data and control flow instructions.
The buffer overflow allows the attacker to inject and execute arbitrary code on the device.
The attacker gains remote shell access to the device with elevated privileges.
The attacker could then use the compromised device to pivot into the internal network or cause a denial-of-service condition.

Impact

Successful exploitation of this buffer overflow vulnerability can lead to complete compromise of the affected Totolink WA300 device. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the device as a bot in a larger attack. Given the high CVSS score of 8.8, the impact is considered critical. Home and small business networks using the affected router model are at risk. The vulnerability allows for remote code execution, leading to significant potential for damage.

Recommendation

Deploy the Sigma rule Detect Totolink WA300 UploadCustomModule Buffer Overflow Attempt to detect malicious POST requests targeting the vulnerable endpoint.
Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually large File parameters, as indicated in the Sigma rule.
Apply any available firmware updates from Totolink to patch CVE-2026-7717 if they become available.
Implement network segmentation to limit the impact of a compromised router on other internal network resources.

Edimax BR-6428nC Buffer Overflow Vulnerability (CVE-2026-7684)

hello@craftedsignal.io — Sun, 03 May 2026 07:16:25 +0000

A buffer overflow vulnerability, tracked as CVE-2026-7684, affects Edimax BR-6428nC devices up to version 1.16. The vulnerability resides in the /goform/setWAN file, specifically within the handling of the pptpDfGateway argument. An unauthenticated attacker can exploit this flaw remotely by sending a crafted request to the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. The vendor was notified but did not respond, suggesting that a patch is unlikely and highlighting the need for mitigation strategies.

Attack Chain

The attacker identifies an Edimax BR-6428nC device running a vulnerable firmware version (<= 1.16).
The attacker crafts a malicious HTTP POST request targeting the /goform/setWAN endpoint.
The request includes the pptpDfGateway parameter with a value exceeding the expected buffer size.
The device processes the request, and the oversized pptpDfGateway value overflows the buffer, overwriting adjacent memory regions.
The attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow.
Execution is redirected to attacker-controlled code injected within the overflowed buffer.
The attacker gains arbitrary code execution on the device, potentially achieving full system control.
The attacker could then use this control to modify device settings, intercept network traffic, or establish a persistent backdoor.

Impact

Successful exploitation of this vulnerability can allow an attacker to gain complete control of the Edimax BR-6428nC device. This could enable the attacker to intercept and modify network traffic, access sensitive information, or use the device as a point of entry for further attacks within the network. Given the public availability of exploit code, the risk of widespread exploitation is significant.

Recommendation

Deploy the Sigma rule Edimax_BR_6428nC_Buffer_Overflow_setWAN to detect suspicious HTTP requests targeting the vulnerable endpoint and parameter.
Consider blocking or rate-limiting access to the /goform/setWAN endpoint from untrusted networks.
Since the vendor is unresponsive and a patch is unlikely, network segmentation and access control policies are the best mitigation options.

Edimax BR-6208AC Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 07:16:25 +0000

A buffer overflow vulnerability, CVE-2026-7685, has been identified in Edimax BR-6208AC routers up to version 1.02. The vulnerability resides within the /goform/setWAN file, specifically related to the pptpDfGateway argument. Successful exploitation of this flaw could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but has not responded. Given the ease of exploitation and the potential for significant impact, this vulnerability poses a critical threat to affected devices.

Attack Chain

Attacker identifies an Edimax BR-6208AC router with firmware version 1.02 or earlier exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/setWAN endpoint.
Within the POST request, the attacker includes the pptpDfGateway argument, injecting a payload exceeding the buffer’s expected size.
The router’s web server processes the malicious request without proper input validation on the size of the pptpDfGateway argument.
The oversized payload overwrites adjacent memory regions on the stack, potentially including return addresses or other critical data.
When the function attempts to return, it jumps to an address controlled by the attacker, leading to arbitrary code execution.
The attacker executes commands to gain control of the device, potentially installing malware or modifying router settings.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Edimax BR-6208AC router. An attacker could leverage this access to perform a variety of malicious activities, including eavesdropping on network traffic, injecting malicious code into web pages served by the router, or using the router as a bot in a larger botnet. Given the availability of public exploits, unpatched devices are at immediate risk of compromise.

Recommendation

Deploy the Sigma rule Detect Edimax BR-6208AC setWAN Buffer Overflow Attempt to identify exploitation attempts in web server logs.
Inspect web server logs for POST requests to /goform/setWAN containing unusually long pptpDfGateway parameters, as detected by the Sigma rule Detect Long pptpDfGateway Parameter.
Apply appropriate network segmentation to limit the blast radius of compromised devices and prevent lateral movement.

Shenzhen Libituo Technology LBT-T300-HW1 Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 03:16:15 +0000

A buffer overflow vulnerability, identified as CVE-2026-7675, affects Shenzhen Libituo Technology LBT-T300-HW1 devices with firmware versions up to 1.2.8. The vulnerability resides in the start_lan function within the /apply.cgi file. By manipulating the Channel/ApCliSsid argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists for this vulnerability. The vendor was notified about the vulnerability, but there has been no response. This vulnerability is considered critical due to the potential for remote exploitation and the availability of exploit code.

Attack Chain

The attacker identifies a vulnerable Shenzhen Libituo Technology LBT-T300-HW1 device running firmware version 1.2.8 or earlier.
The attacker crafts a malicious HTTP request targeting the /apply.cgi endpoint.
The HTTP request includes a specially crafted Channel/ApCliSsid argument designed to overflow the buffer in the start_lan function.
The vulnerable start_lan function receives the malicious input and attempts to process it without proper bounds checking.
The buffer overflow occurs, overwriting adjacent memory regions, including potentially the return address on the stack.
The attacker gains control of the program execution flow by overwriting the return address with the address of malicious code.
The injected code executes with the privileges of the web server process.
The attacker achieves arbitrary code execution, potentially gaining full control of the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected device. Given that this is a router, this could lead to complete compromise of the device, including the ability to intercept and manipulate network traffic, install malware, or use the device as part of a botnet. Due to the public availability of the exploit, widespread exploitation is possible.

Recommendation

Apply network intrusion detection system (NIDS) rules to detect and block malicious HTTP requests targeting /apply.cgi with excessively long Channel/ApCliSsid values.
Deploy the Sigma rule Detect-LBT-T300-HW1-applycgi-buffer-overflow to your SIEM and tune for your environment to identify exploitation attempts.
Monitor web server logs for suspicious POST requests to /apply.cgi and analyze the length of the Channel/ApCliSsid parameter.

Shenzhen Libituo Technology LBT-T300-HW1 Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 02:17:12 +0000

A buffer overflow vulnerability, identified as CVE-2026-7674, affects Shenzhen Libituo Technology LBT-T300-HW1 devices up to version 1.2.8. The vulnerability resides within the Web Management Interface, specifically in the start_single_service function. By sending a crafted request to the device and manipulating the vpn_pptp_server or vpn_l2tp_server arguments, an attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability can be exploited remotely, making it a significant threat to affected devices. The vendor was notified but did not respond, increasing the risk of exploitation.

Attack Chain

The attacker identifies a vulnerable LBT-T300-HW1 device with version 1.2.8 or earlier.
The attacker crafts a malicious HTTP request targeting the Web Management Interface.
The malicious request includes a payload designed to overflow the buffer when processing the vpn_pptp_server or vpn_l2tp_server arguments.
The crafted request is sent to the start_single_service function.
The start_single_service function attempts to process the overly long input without proper bounds checking.
The buffer overflow overwrites adjacent memory regions, including potentially executable code or critical data structures.
The attacker gains control of the device by redirecting execution flow to attacker-controlled code injected into the buffer.
The attacker executes arbitrary code on the device, potentially gaining persistent access or causing denial of service.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected LBT-T300-HW1 device. This could lead to complete system compromise, including data theft, modification of device settings, or use of the device as a bot in a larger attack. Given the lack of vendor response, many devices could be vulnerable if exposed to the internet.

Recommendation

Deploy the Sigma rule Detect Suspicious VPN Server Configuration via Web Interface to detect potential exploitation attempts targeting the vulnerable start_single_service function in web server logs.
Monitor network traffic for unusually long strings passed as values for vpn_pptp_server and vpn_l2tp_server parameters in HTTP requests to the device’s web interface.
Apply any available patches or firmware updates released by Shenzhen Libituo Technology to address CVE-2026-7674.

TRENDnet TEW-821DAP Firmware Update Buffer Overflow Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 08:16:28 +0000

CVE-2026-7607 describes a buffer overflow vulnerability affecting TRENDnet TEW-821DAP version 1.12B01. The vulnerability resides within the auto_update_firmware function of the Firmware Update component. A remote attacker can exploit this flaw by sending a crafted request with a maliciously oversized ‘str’ argument, leading to a buffer overflow. Although the CVSS score is high, the vendor has stated that the affected product reached its end-of-life 8 years ago and is no longer supported, significantly reducing the risk of widespread exploitation. This lack of support means no patches or updates will be provided, leaving vulnerable devices exposed if still in operation.

Attack Chain

Attacker identifies a vulnerable TRENDnet TEW-821DAP device running firmware version 1.12B01.
Attacker sends a specially crafted network packet to the device, targeting the Firmware Update component.
The packet includes a malicious ‘str’ argument exceeding the buffer’s allocated size in the auto_update_firmware function.
The device attempts to process the firmware update, copying the oversized ‘str’ argument into the undersized buffer.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
Attacker hijacks control of the execution flow by overwriting the return address with the address of malicious code.
The device executes the attacker’s arbitrary code with the privileges of the Firmware Update component.
The attacker gains control of the device, potentially enabling further malicious activities.

Impact

Successful exploitation of this buffer overflow vulnerability could allow an attacker to gain complete control over the affected TRENDnet TEW-821DAP device. This could lead to unauthorized network access, data theft, or the device being used as a bot in a larger attack. Given that the affected product is EOL, the number of actively exploitable devices is likely low, but any remaining devices are at significant risk since no patch will be available.

Recommendation

Identify and isolate any TRENDnet TEW-821DAP devices running firmware version 1.12B01 on your network. Consider decommissioning them if possible due to the end-of-life status and lack of security updates.
Monitor network traffic for suspicious packets targeting the Firmware Update component of TRENDnet devices. Implement intrusion detection rules to identify and block potentially malicious requests (see example Sigma rule below).
Since this is a buffer overflow on a network device, monitor for unusual process creation or network connections originating from TRENDnet devices.
Deploy the provided Sigma rule to detect attempts to exploit the vulnerability by monitoring for unusual data lengths in network traffic related to firmware updates.

Totolink NR1800X Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 03:16:01 +0000

A critical security vulnerability, CVE-2026-7546, affects Totolink NR1800X routers running firmware version 9.1.0u.6279_B20210910. The vulnerability resides within the find_host_ip function of the lighttpd web server component. By exploiting this flaw, a remote, unauthenticated attacker can trigger a stack-based buffer overflow through manipulation of the Host argument in an HTTP request. The publicly disclosed exploit allows attackers to potentially gain complete control of the device. This vulnerability poses a significant risk to home and small business networks utilizing the affected Totolink router model, as successful exploitation leads to arbitrary code execution.

Attack Chain

The attacker identifies a vulnerable Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910.
The attacker crafts a malicious HTTP request targeting the router’s web interface.
The crafted request includes a Host header with a string exceeding the buffer size allocated in the find_host_ip function within the lighttpd component.
The router’s lighttpd server processes the HTTP request and passes the Host header value to the vulnerable function.
The find_host_ip function attempts to store the oversized Host value in a stack-allocated buffer.
A stack-based buffer overflow occurs due to the insufficient buffer size.
The overflow overwrites adjacent memory on the stack, potentially including the return address.
The attacker gains arbitrary code execution on the device.

Impact

Successful exploitation of CVE-2026-7546 allows a remote attacker to execute arbitrary code on the vulnerable Totolink NR1800X device. This can lead to complete control of the router, allowing the attacker to modify router settings, intercept network traffic, or use the compromised router as a pivot point for further attacks within the network. Given the nature of stack-based buffer overflows, the attacker can potentially install persistent backdoors or malware. This presents a significant risk to users, potentially exposing sensitive data and infrastructure to unauthorized access.

Recommendation

Apply available patches released by Totolink to remediate CVE-2026-7546.
Monitor network traffic for suspicious HTTP requests targeting Totolink routers, specifically looking for abnormally long Host headers with the Sigma rule “Detect Suspiciously Long Host Header”.
Implement network segmentation to limit the impact of a compromised router.
Review and harden router configurations, including disabling remote administration if not required.

UTT HiPER 1200GW Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 00:16:25 +0000

A buffer overflow vulnerability has been identified in UTT HiPER 1200GW devices with firmware versions up to 2.5.3-170306. The flaw resides within the strcpy function of the /goform/formRemoteControl file, which handles remote control functionalities. A remote attacker can exploit this vulnerability by sending a specially crafted request to trigger the buffer overflow, potentially leading to arbitrary code execution on the affected device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using the affected UTT HiPER 1200GW devices, as it could allow attackers to gain unauthorized access and control over the device and potentially the network it is connected to.

Attack Chain

Attacker identifies a vulnerable UTT HiPER 1200GW device exposed to the internet.
Attacker crafts a malicious HTTP request targeting the /goform/formRemoteControl endpoint.
The malicious request includes a payload designed to overflow the buffer when processed by the strcpy function.
The vulnerable strcpy function within /goform/formRemoteControl copies the attacker-controlled data without proper bounds checking.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
The attacker leverages the overflow to inject and execute arbitrary code on the device.
The attacker gains control of the device, potentially escalating privileges.
The attacker uses the compromised device to pivot to other systems on the network, exfiltrate sensitive data, or cause further damage.

Impact

Successful exploitation of this vulnerability could lead to complete compromise of the affected UTT HiPER 1200GW device. Attackers could gain unauthorized access to sensitive data, disrupt device functionality, or use the device as a foothold for further attacks within the network. Given that public exploits are available, the risk of widespread exploitation is high. While the exact number of affected devices is unknown, organizations using UTT HiPER 1200GW devices should take immediate action to mitigate this vulnerability.

Recommendation

Apply available patches or firmware updates from UTT to address the buffer overflow vulnerability in UTT HiPER 1200GW devices.
Monitor network traffic for suspicious requests targeting the /goform/formRemoteControl endpoint, and deploy the Sigma rule Detect Suspicious Requests to FormRemoteControl to identify potentially malicious activity.
Implement input validation and sanitization measures to prevent buffer overflows in web applications.
Consider network segmentation to limit the impact of a compromised device on other systems within the network.
Review and restrict access to the device’s web interface to only authorized personnel.

code-projects Plugin 4.1.2cu.5137 Buffer Overflow Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 22:16:26 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7503, has been discovered in code-projects Plugin version 4.1.2cu.5137. The vulnerability resides within the setWiFiMultipleConfig function in the /lib/cste_modules/wireless.so library, which is part of the /cgi-bin/cstecgi.cgi executable. Successful exploitation is achieved through manipulation of the wepkey2 argument, allowing for remote code execution. The vulnerability is considered highly critical due to the availability of a public exploit, increasing the likelihood of widespread exploitation and potential compromise of affected systems. This poses a significant threat to devices utilizing the vulnerable plugin version.

Attack Chain

Attacker identifies a system running code-projects Plugin 4.1.2cu.5137.
The attacker crafts a malicious HTTP request targeting the /cgi-bin/cstecgi.cgi endpoint.
The request includes a specially crafted payload for the wepkey2 argument within the setWiFiMultipleConfig function.
The vulnerable function setWiFiMultipleConfig processes the malicious input without proper bounds checking.
The oversized wepkey2 argument overflows the buffer, overwriting adjacent memory regions.
The attacker injects malicious code into the memory space via the buffer overflow.
The injected code executes, granting the attacker control over the affected system.

Impact

Successful exploitation of CVE-2026-7503 can lead to complete system compromise, allowing attackers to execute arbitrary code, steal sensitive information, or cause denial-of-service conditions. Due to the ready availability of an exploit, any system running the vulnerable code-projects plugin version 4.1.2cu.5137 is at immediate risk. The lack of specific victim numbers or sector targeting information in the provided source does not diminish the critical nature of the vulnerability given the high CVSS score (8.8) and public exploit.

Recommendation

Deploy the Sigma rule “Detect Code-Projects WiFi Configuration Buffer Overflow Attempt” to your SIEM to detect exploitation attempts targeting the vulnerable setWiFiMultipleConfig function and monitor web server logs (cs-uri-query).
Apply input validation and sanitization to prevent buffer overflows. This issue occurs within the /lib/cste_modules/wireless.so library called by /cgi-bin/cstecgi.cgi.
Monitor network traffic for suspicious requests targeting the /cgi-bin/cstecgi.cgi endpoint, as this is the entry point for exploiting CVE-2026-7503.

Tenda 4G300 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 03:16:01 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda 4G300 routers, specifically version US_4G300V1.0Mt_V1.01.42_CN_TDC01. The vulnerability resides within the sub_427C3C function located in the /goform/SafeMacFilter file. An attacker can exploit this flaw by manipulating the page argument in a crafted request, leading to a buffer overflow and potentially allowing for arbitrary code execution on the affected device. The vulnerability, identified as CVE-2026-7470, poses a significant risk as remote exploitation is possible, and a proof-of-concept exploit is publicly available, increasing the likelihood of malicious actors leveraging this vulnerability.

Attack Chain

The attacker identifies a Tenda 4G300 router running the vulnerable firmware version US_4G300V1.0Mt_V1.01.42_CN_TDC01.
The attacker crafts a malicious HTTP POST request targeting the /goform/SafeMacFilter endpoint.
The crafted request includes the page argument with a payload exceeding the buffer size allocated for it within the sub_427C3C function.
The router processes the HTTP request, passing the oversized page argument to the vulnerable function.
The sub_427C3C function attempts to write the oversized data into a stack-based buffer, causing a buffer overflow.
The buffer overflow overwrites adjacent memory on the stack, including the return address.
The attacker redirects execution flow to a malicious code payload injected into the request or elsewhere in memory.
The injected code executes with the privileges of the router process, potentially allowing the attacker to gain full control of the device.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda 4G300 router. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the router as a launching point for further attacks against other devices on the network or the internet. Given the widespread use of these routers in homes and small businesses, a successful attack could impact a large number of users.

Recommendation

Monitor web server logs for unusual POST requests to /goform/SafeMacFilter with abnormally long page parameters. Use the provided Sigma rule to detect suspicious activity.
Implement rate limiting on the /goform/SafeMacFilter endpoint to mitigate potential brute-force exploitation attempts.
Apply any available patches or firmware updates released by Tenda to address CVE-2026-7470.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

UTT HiPER 1250GW Buffer Overflow Vulnerability (CVE-2026-7420)

hello@craftedsignal.io — Wed, 29 Apr 2026 23:16:20 +0000

A critical buffer overflow vulnerability, CVE-2026-7420, has been identified in UTT HiPER 1250GW devices. The vulnerability exists in versions up to 3.2.7-210907-180535. The vulnerability lies within the strcpy function in the route/goform/ConfigAdvideo file, where the ‘Profile’ argument is not properly validated, leading to a buffer overflow condition. This allows unauthenticated remote attackers to potentially execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of exploitation. Defenders should implement mitigations and detection strategies immediately.

Attack Chain

The attacker identifies a vulnerable UTT HiPER 1250GW device exposed to the internet.
The attacker crafts a malicious HTTP request targeting the route/goform/ConfigAdvideo endpoint.
The HTTP request includes a ‘Profile’ argument with a payload exceeding the buffer size allocated for it.
The strcpy function attempts to copy the oversized ‘Profile’ argument into the undersized buffer.
The buffer overflow occurs, overwriting adjacent memory regions.
The attacker injects malicious code into the overflowed memory region to gain code execution.
The attacker achieves remote code execution on the UTT HiPER 1250GW device.
The attacker gains control of the device, potentially using it for further malicious activities such as lateral movement, data exfiltration, or denial-of-service attacks.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the UTT HiPER 1250GW device. This can lead to complete compromise of the device, potentially enabling attackers to gain unauthorized access to the network it is connected to, exfiltrate sensitive data, or use the device as a bot in a botnet. The impact is significant, especially if these devices are used in critical infrastructure or sensitive environments.

Recommendation

Apply available patches or firmware updates for UTT HiPER 1250GW devices to remediate CVE-2026-7420.
Implement network segmentation to isolate UTT HiPER 1250GW devices from critical network segments.
Deploy the Sigma rule Detect UTT HiPER Buffer Overflow Attempt to identify malicious HTTP requests targeting the route/goform/ConfigAdvideo endpoint.
Monitor web server logs for unusual activity and large ‘Profile’ argument values in requests to route/goform/ConfigAdvideo to identify potential exploitation attempts.

UTT HiPER 1250GW Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 22:16:22 +0000

A buffer overflow vulnerability, identified as CVE-2026-7418, has been discovered in UTT HiPER 1250GW devices with firmware versions up to 3.2.7-210907-180535. The vulnerability resides within the strcpy function in the route/goform/NTP file. A remote attacker can exploit this vulnerability by manipulating the Profile argument during NTP configuration. Successful exploitation could lead to arbitrary code execution on the affected device. The vulnerability has been publicly disclosed, increasing the risk of exploitation. This poses a significant threat to organizations using the affected UTT HiPER 1250GW devices, as attackers could potentially gain control of the device and use it as a foothold for further malicious activities within the network.

Attack Chain

The attacker identifies a vulnerable UTT HiPER 1250GW device with a firmware version up to 3.2.7-210907-180535.
The attacker crafts a malicious HTTP request targeting the /route/goform/NTP endpoint.
The crafted request includes a specially designed Profile argument containing a payload that exceeds the buffer size allocated for it.
The web server on the UTT HiPER 1250GW device receives the HTTP request and passes the Profile argument to the strcpy function.
The strcpy function copies the oversized Profile argument into the undersized buffer, leading to a buffer overflow.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or executable code.
The attacker gains arbitrary code execution on the device with the privileges of the web server process.
The attacker can then use this foothold to further compromise the device or the network it is connected to, potentially leading to data exfiltration or denial-of-service attacks.

Impact

Successful exploitation of CVE-2026-7418 can allow a remote attacker to execute arbitrary code on the affected UTT HiPER 1250GW device. This could allow the attacker to gain full control of the device, potentially leading to data exfiltration, denial-of-service attacks, or further compromise of the network to which the device is connected. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. Given the public availability of the exploit, organizations using the affected devices are at increased risk.

Recommendation

Apply available patches or firmware updates provided by UTT to address CVE-2026-7418 on HiPER 1250GW devices.
Deploy the Sigma rule Detect Suspicious NTP Profile Argument to detect exploitation attempts against the /route/goform/NTP endpoint.
Monitor web server logs for suspicious requests targeting the /route/goform/NTP endpoint with unusually long Profile arguments to identify potential exploitation attempts.

Alloksoft Video Joiner Buffer Overflow Vulnerability (CVE-2018-25315)

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:27 +0000

Alloksoft Video Joiner version 4.6.1217 is susceptible to a buffer overflow vulnerability (CVE-2018-25315). This vulnerability allows a local attacker to execute arbitrary code on a vulnerable system. The attack involves crafting a malicious string and supplying it to the “License Name” field of the application during registration. Exploitation occurs due to the application’s failure to properly validate the length of the input, allowing a buffer overflow to occur. The attacker leverages Structured Exception Handler (SEH) overwrite and injects shellcode to gain code execution in the context of the application. This vulnerability was reported in April 2026.

Attack Chain

The attacker gains local access to a system with Alloksoft Video Joiner 4.6.1217 installed.
The attacker identifies the “License Name” field within the application’s registration process as a potential vulnerability point.
The attacker crafts a malicious string that exceeds the expected buffer size for the “License Name” field.
The malicious string includes an SEH overwrite payload, redirecting execution flow to the attacker’s controlled memory.
The crafted string also contains shellcode designed to perform arbitrary code execution.
The attacker inputs the malicious string into the “License Name” field and submits the registration form.
The application attempts to process the oversized string, triggering a buffer overflow.
The SEH overwrite redirects execution to the injected shellcode, granting the attacker arbitrary code execution within the context of the Alloksoft Video Joiner process.

Impact

Successful exploitation of this buffer overflow vulnerability allows a local attacker to execute arbitrary code with the privileges of the Alloksoft Video Joiner application. This could lead to complete system compromise, data theft, or installation of malware. While the specific number of affected users is unknown, any system running the vulnerable version of the software is at risk.

Recommendation

Monitor process creations for VideoJoiner.exe spawning unusual child processes, indicative of code execution stemming from the overflow.
Consider deploying network egress rules to block connections originating from VideoJoiner.exe to external IPs to prevent command and control.
Implement application control policies to prevent the execution of unsigned or untrusted code within the context of VideoJoiner.exe.

Allok Soft WMV Converter Buffer Overflow Vulnerability (CVE-2018-25314)

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:27 +0000

Allok Soft WMV to AVI MPEG DVD WMV Converter version 4.6.1217 is susceptible to a buffer overflow vulnerability (CVE-2018-25314). This vulnerability allows a local attacker to execute arbitrary code on a targeted system. The attack vector involves supplying an overly long string to the “License Name” field of the application, triggering the buffer overflow. Successful exploitation allows attackers to inject and execute shellcode within the context of the application, potentially leading to privilege escalation and complete system compromise. This vulnerability was reported in April 2026.

Attack Chain

Attacker crafts a malicious input string containing shellcode.
The malicious string is designed to overwrite the Structured Exception Handler (SEH).
Attacker opens Allok Soft WMV to AVI MPEG DVD WMV Converter 4.6.1217.
Attacker inputs the crafted string into the “License Name” field within the application’s interface.
The application attempts to process the oversized input, triggering a buffer overflow.
The overflow overwrites the SEH with a pointer to the attacker-controlled shellcode.
An exception is triggered within the application.
The SEH handler is invoked, redirecting execution flow to the injected shellcode, enabling arbitrary code execution.

Impact

Successful exploitation of CVE-2018-25314 allows a local attacker to execute arbitrary code with the privileges of the Allok Soft WMV to AVI MPEG DVD WMV Converter application. This could lead to sensitive data theft, installation of malware, or complete system compromise. While specific victim counts are unavailable, any system running the vulnerable software is at risk.

Recommendation

Monitor process creations for wmvconverter.exe spawning unusual child processes using the Alloksoft WMV Converter Spawning Suspicious Process Sigma rule.
Monitor for unexpected registry modifications performed by wmvconverter.exe using the Alloksoft WMV Converter Registry Modification Sigma rule.
Consider removing Allok Soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 from systems where it is not essential, as no patch is available.

Prime95 Local Buffer Overflow Vulnerability (CVE-2018-25299)

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:25 +0000

Prime95 is a popular application used for finding Mersenne prime numbers, often employed for stress-testing computer hardware. Version 29.4b8 of Prime95 is vulnerable to a local buffer overflow (CVE-2018-25299). An attacker with local access can exploit this vulnerability to execute arbitrary code on the system. The vulnerability stems from insufficient input validation when handling the optional proxy hostname field within the PrimeNet connection settings. By providing an overly long string, an attacker can overwrite parts of the process memory, specifically the Structured Exception Handling (SEH) chain. This allows them to redirect the flow of execution to attacker-controlled code, leading to arbitrary command execution. This vulnerability was published on April 29, 2026, and poses a significant risk to systems running the vulnerable software.

Attack Chain

The attacker gains local access to a system running Prime95 29.4b8.
The attacker modifies the PrimeNet connection settings within Prime95.
The attacker supplies a malicious payload within the optional “proxy hostname” field, exceeding the expected buffer size.
When Prime95 attempts to process the overly long proxy hostname, a buffer overflow occurs.
The overflow overwrites the Structured Exception Handling (SEH) record on the stack.
When an exception occurs within Prime95 (triggered intentionally or unintentionally), the overwritten SEH record points to attacker-controlled code.
The system attempts to handle the exception, causing execution to jump to the attacker-controlled code injected via the proxy hostname.
The attacker’s code executes with the privileges of the Prime95 process, potentially leading to system compromise.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected system. This can lead to complete system compromise, data theft, or installation of malware. Since the vulnerability is local, an attacker needs prior access to the system, either through social engineering, stolen credentials, or other means. However, once access is obtained, exploitation is relatively straightforward. This vulnerability has a high CVSS score of 8.4, reflecting the significant potential impact.

Recommendation

Upgrade to a patched version of Prime95 that addresses CVE-2018-25299. Check the vendor’s website (https://www.mersenne.org/download/#download) for updates.
Implement strong input validation on any configuration files or settings that Prime95 reads to prevent buffer overflows.
Monitor process creation events for unusual activity originating from the Prime95 executable, which could indicate exploitation. Deploy the Sigma rule provided to detect suspicious command line arguments.

Free Download Manager 2.0 Built 417 Local Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:25 +0000

Free Download Manager (FDM) version 2.0 Built 417 is susceptible to a local buffer overflow vulnerability (CVE-2018-25304) within its URL import functionality. This vulnerability, discovered and reported by VulnCheck, allows an attacker to craft a malicious URL file. When a user imports this specially crafted file through the “File > Import > Import lists of downloads” menu, the application attempts to process the ‘Location’ header response, triggering a buffer overflow. This overflow overwrites the Structured Exception Handler (SEH) chain, enabling the attacker to execute arbitrary code within the context of the FDM process. This vulnerability can be exploited locally by tricking a user into importing a malicious file.

Attack Chain

Attacker crafts a malicious .url file containing an overly long Location header value designed to cause a buffer overflow.
The victim is convinced to download the malicious .url file (e.g., through social engineering).
The victim opens Free Download Manager 2.0 Built 417.
The victim navigates to “File > Import > Import lists of downloads” within FDM.
The victim selects the downloaded malicious .url file and initiates the import process.
FDM parses the malicious .url file and attempts to process the long Location header.
The excessively long Location header causes a buffer overflow, overwriting the SEH chain.
When an exception is triggered (due to the overflow), the overwritten SEH chain is used to redirect execution to attacker-controlled code, resulting in arbitrary code execution.

Impact

Successful exploitation of this buffer overflow vulnerability allows an attacker to execute arbitrary code on the victim’s system with the privileges of the Free Download Manager process. This could lead to complete system compromise, data theft, or installation of malware. While specific victim counts are unavailable, the vulnerability poses a significant risk to users of Free Download Manager 2.0 Built 417.

Recommendation

Monitor for process creation events originating from Free Download Manager after importing a .url file to detect potential exploitation attempts (see Sigma rule “Detect Free Download Manager Suspicious Process Creation After Import”).
Implement file integrity monitoring (FIM) on the Free Download Manager executable directory to detect unauthorized modifications potentially related to exploitation.
Consider using application control solutions to restrict the execution of unsigned or untrusted code within the Free Download Manager process.

Easy MPEG to DVD Burner 1.7.11 SEH Buffer Overflow

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:25 +0000

Easy MPEG to DVD Burner 1.7.11 is vulnerable to a structured exception handling (SEH) local buffer overflow. This vulnerability allows a local attacker to execute arbitrary code on a targeted system. The vulnerability can be triggered by supplying a malicious username string to the application. The attacker exploits this vulnerability by overwriting the SEH handler, redirecting execution flow to attacker-controlled shellcode, which can then execute arbitrary commands. This vulnerability exists due to insufficient bounds checking when handling user-supplied data, specifically the username. Successful exploitation allows for arbitrary code execution within the context of the application.

Attack Chain

The attacker crafts a malicious input string designed to trigger a buffer overflow in Easy MPEG to DVD Burner 1.7.11.
The malicious string includes junk data to fill the buffer, SEH chain pointers to control the exception handling process, and shellcode containing the attacker’s desired commands.
The attacker provides the crafted input as a username during application execution, likely via a configuration file or command-line argument.
The application’s vulnerable code attempts to copy the attacker-controlled username into a fixed-size buffer without proper bounds checking.
The buffer overflows, overwriting the SEH handler with the attacker-controlled SEH chain pointers.
An exception is triggered within the application due to the buffer overflow, causing the SEH handler to be invoked.
The overwritten SEH handler redirects execution to the attacker’s shellcode.
The shellcode executes arbitrary commands, such as launching calc.exe, giving the attacker control over the system.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the user running Easy MPEG to DVD Burner 1.7.11. This can lead to complete system compromise, data theft, or denial of service. While there is no mention of the number of victims or specific sectors targeted in the provided document, the high CVSS score (8.4) indicates a significant risk. The impact would allow lateral movement and further compromise.

Recommendation

Block execution of Easy MPEG to DVD Burner 1.7.11 if it is not a required application.
Monitor process creations for unusual processes originating from Easy MPEG to DVD Burner using the process creation rule below.
Monitor for unexpected process execution, such as calc.exe (mentioned in the advisory), following the execution of Easy MPEG to DVD Burner 1.7.11.

Allok Video to DVD Burner Stack-Based Buffer Overflow Vulnerability (CVE-2018-25303)

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:25 +0000

A stack-based buffer overflow vulnerability exists in Allok Video to DVD Burner version 2.6.1217. This vulnerability, identified as CVE-2018-25303, resides within the “License Name” field of the application. A local attacker can exploit this flaw by crafting a malicious input designed to overwrite the Structured Exception Handler (SEH). Successful exploitation enables the attacker to execute arbitrary code within the context of the application. The vulnerability was reported on 2026-04-29. This is important for defenders because successful exploitation can lead to complete system compromise on vulnerable machines.

Attack Chain

The attacker gains local access to a system with Allok Video to DVD Burner 2.6.1217 installed.
The attacker crafts a malicious input string consisting of 780 bytes of arbitrary data.
The attacker appends SEH chain pointers and shellcode to the crafted input string.
The attacker opens the Allok Video to DVD Burner application and navigates to the registration window.
The attacker pastes the malicious input string into the “License Name” field.
The application attempts to process the oversized input, triggering the buffer overflow.
The SEH is overwritten with the attacker’s controlled pointers.
The shellcode is executed, giving the attacker arbitrary code execution on the system.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code within the context of the Allok Video to DVD Burner application. This could lead to complete system compromise, including data theft, installation of malware, or other malicious activities. The vulnerability affects version 2.6.1217 of the software. The number of potential victims depends on the number of installations of the vulnerable software.

Recommendation

Monitor process creations for Allok Video to DVD Burner and unusual child processes using the process creation rule below.
Monitor for registry modifications performed by the vulnerable application that may indicate persistence.
Due to the age of the application, consider whether it should continue to be used within the environment.

Allok AVI to DVD SVCD VCD Converter Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:25 +0000

Allok AVI to DVD SVCD VCD Converter version 4.0.1217 is susceptible to a structured exception handling (SEH) based buffer overflow vulnerability. This vulnerability enables a local attacker to execute arbitrary code by crafting a specific payload. The attack involves providing a malicious string in the License Name field of the application. This can be exploited without requiring any prior authentication, making it a significant security concern for systems running the vulnerable software. The vulnerability was reported on April 29, 2026.

Attack Chain

The attacker prepares a malicious string payload consisting of junk data, an NSEH bypass, an SEH handler address, and shellcode.
The attacker opens the Allok AVI to DVD SVCD VCD Converter application.
The attacker navigates to the registration or license activation section of the software.
The attacker pastes the malicious string into the License Name field.
The attacker clicks the “Register” button, triggering the buffer overflow.
The overflow overwrites the SEH frame, redirecting execution flow to the attacker-controlled NSEH bypass.
The NSEH bypass redirects execution to the SEH handler address, which points to the attacker’s shellcode.
The shellcode executes, allowing the attacker to run arbitrary code on the system.

Impact

Successful exploitation of this buffer overflow vulnerability allows a local attacker to execute arbitrary code with the privileges of the user running the Allok AVI to DVD SVCD VCD Converter. This could lead to complete system compromise, data theft, or installation of malware. Given the ease of exploitation (no authentication required, local access only) this poses a significant risk to systems with the vulnerable software installed.

Recommendation

Deploy the Sigma rule Allok AVI Converter SEH Buffer Overflow to detect exploitation attempts based on process creation events.
Monitor for abnormal process execution originating from the Allok AVI to DVD SVCD VCD Converter application to identify potential exploitation (process_creation).
Consider removing the Allok AVI to DVD SVCD VCD Converter 4.0.1217 until a patch is available, due to the high severity and ease of exploitation.

D-Link DIR-825M Remote Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 28 Apr 2026 15:16:37 +0000

A buffer overflow vulnerability exists in D-Link DIR-825M router version 1.1.12. The vulnerability is located within the sub_414BA8 function of the /boafrm/formWanConfigSetup file. An attacker can exploit this flaw by manipulating the submit-url argument, leading to arbitrary code execution on the device. This vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available, increasing the risk of widespread attacks. Exploitation does not require authentication by default, and could allow an attacker to gain complete control over the device. This poses a significant threat to home and small business networks relying on this router model.

Attack Chain

The attacker identifies a vulnerable D-Link DIR-825M router running firmware version 1.1.12.
The attacker crafts a malicious HTTP POST request targeting the /boafrm/formWanConfigSetup endpoint.
The attacker includes the submit-url argument in the POST request, injecting a buffer overflow payload.
The crafted payload overflows the buffer in the sub_414BA8 function during the processing of the submit-url argument.
The buffer overflow overwrites critical memory regions, including the return address.
When the sub_414BA8 function returns, control is redirected to the attacker-controlled address.
The attacker’s payload executes arbitrary code, potentially downloading and executing a secondary payload.
The attacker gains remote shell access to the router.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the D-Link DIR-825M router. This can lead to complete compromise of the device, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the router as a botnet node for further malicious activities. Given the widespread use of D-Link routers in home and small business networks, a successful attack could compromise a large number of devices and networks.

Recommendation

Apply available firmware updates from D-Link to patch CVE-2026-7289.
Deploy the following Sigma rule to detect suspicious POST requests to /boafrm/formWanConfigSetup with overly long submit-url parameters.
Monitor web server logs for suspicious activity related to the /boafrm/formWanConfigSetup endpoint.

Tenda HG3 v2.0 Stack-Based Buffer Overflow in formUploadConfig

hello@craftedsignal.io — Tue, 28 Apr 2026 12:00:00 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda HG3 version 2.0. The vulnerability exists within the formUploadConfig function of the /boaform/formIPv6Routing file. A remote attacker can exploit this by manipulating the destNet argument, potentially leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-7151, has a publicly available exploit, increasing the risk of exploitation. This poses a significant threat to users of Tenda HG3 v2.0 routers, potentially allowing attackers to gain unauthorized access and control over the device. The CVSS v3.1 score is rated as 8.8 (HIGH).

Attack Chain

Attacker identifies a Tenda HG3 v2.0 router with default or known credentials, or no authentication at all.
The attacker sends a crafted HTTP POST request to /boaform/formIPv6Routing.
The request targets the formUploadConfig function.
The destNet argument within the HTTP POST data is manipulated with a string exceeding the buffer size.
The formUploadConfig function processes the oversized destNet argument without proper bounds checking.
This causes a stack-based buffer overflow, overwriting adjacent memory regions on the stack.
The attacker gains arbitrary code execution on the device by overwriting the return address or other critical data on the stack.
The attacker can then leverage this to gain full control of the device, potentially modifying settings, injecting malware, or using it as part of a botnet.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda HG3 v2.0 router. This could lead to complete compromise of the device, allowing the attacker to monitor network traffic, change router settings, or use the device as a launchpad for further attacks against other devices on the network. Given the potential for widespread exploitation due to the publicly available exploit, a large number of Tenda HG3 v2.0 users are at risk.

Recommendation

Monitor web server logs for unusual POST requests to /boaform/formIPv6Routing with excessively long destNet parameters to detect potential exploit attempts (see example Sigma rule below).
Implement rate limiting for requests to /boaform/formIPv6Routing to mitigate brute-force exploitation attempts.
Apply available patches or firmware updates from Tenda to address CVE-2026-7151 on vulnerable HG3 2.0 devices.
Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting the destNet parameter in /boaform/formIPv6Routing.

D-Link DI-8100 Remote Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 28 Apr 2026 09:16:18 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7248, affects the D-Link DI-8100 router, specifically version 16.07.26A1. The vulnerability resides within the tgfile_htm function of the tgfile.htm file, a component of the CGI endpoint. By crafting a malicious request targeting the fn argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability is particularly concerning as a proof-of-concept exploit has been publicly released, increasing the likelihood of exploitation. Routers are often targeted due to their exposure to the internet and the potential to compromise entire networks.

Attack Chain

The attacker identifies a vulnerable D-Link DI-8100 router running firmware version 16.07.26A1.
The attacker crafts a malicious HTTP request targeting the tgfile.htm CGI endpoint.
The malicious request includes an overly long string in the fn argument.
The router’s web server processes the request and passes the fn argument to the tgfile_htm function.
The tgfile_htm function fails to properly validate the length of the fn argument.
A buffer overflow occurs when the overly long fn argument is copied into a fixed-size buffer.
The buffer overflow overwrites adjacent memory, potentially including return addresses or other critical data.
The attacker gains arbitrary code execution on the router, potentially allowing them to take full control of the device.

Impact

Successful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code on the D-Link DI-8100 router. This could lead to a complete compromise of the device, allowing the attacker to intercept network traffic, modify router settings, or use the router as a launchpad for further attacks against other devices on the network. Given the public availability of an exploit, widespread exploitation is possible, potentially affecting numerous home and small business networks.

Recommendation

Monitor web server logs for abnormally long fn parameters in requests to /tgfile.htm using the provided Sigma rule to detect potential exploitation attempts.
Implement rate limiting on HTTP requests to the router’s web interface to mitigate brute-force exploitation attempts.
Since the source material only identifies a vulnerability, without a patch, consider replacing the affected device.

Totolink N300RT Buffer Overflow Vulnerability (CVE-2026-7219)

hello@craftedsignal.io — Tue, 28 Apr 2026 04:16:23 +0000

A buffer overflow vulnerability, identified as CVE-2026-7219, has been discovered in Totolink N300RT router firmware version 3.4.0-B20250430. The vulnerability resides within the /boafrm/formIpQoS file and is triggered by manipulating the entry_name argument. An attacker can exploit this flaw remotely to potentially execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to devices running the affected firmware, potentially allowing attackers to gain unauthorized access and control over the router.

Attack Chain

An attacker identifies a Totolink N300RT device running firmware version 3.4.0-B20250430.
The attacker crafts a malicious HTTP request targeting the /boafrm/formIpQoS file.
The crafted request includes a payload designed to overflow the buffer associated with the entry_name argument.
The router’s web server processes the malicious request, leading to a buffer overflow condition.
The attacker overwrites adjacent memory regions, potentially including return addresses or other critical data.
Upon function return, the overwritten return address is used, diverting execution flow to attacker-controlled code.
The attacker gains arbitrary code execution on the device.
The attacker can then use this access to modify router settings, intercept network traffic, or establish a persistent backdoor.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Totolink N300RT device. This could lead to complete compromise of the router, enabling attackers to monitor network traffic, change DNS settings, or use the device as part of a botnet. Given the number of Totolink N300RT devices deployed, this vulnerability could have a widespread impact, especially for home and small business users.

Recommendation

Monitor web server logs for requests targeting /boafrm/formIpQoS with unusually long entry_name parameters to detect potential exploitation attempts. Implement the Sigma rule Detect Suspicious Totolink FormIpQoS Requests.
Apply firmware updates as soon as they are released by Totolink to patch CVE-2026-7219.
Implement network segmentation to limit the impact of a compromised router on other devices on the network.
Consider using a web application firewall (WAF) to filter out malicious requests targeting the router’s web interface and activate the Detect Large POST Requests to Router Config Pages Sigma rule.

Tenda F456 Router Buffer Overflow Vulnerability (CVE-2026-7101)

hello@craftedsignal.io — Mon, 27 Apr 2026 09:19:31 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7101, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromWrlclientSet function within the /goform/WrlclientSet file, which is part of the router’s httpd component. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to home and small business networks using the affected Tenda router model, potentially leading to complete device compromise and unauthorized network access. The vulnerability was published on 2026-04-27 and is tracked by VulDB.

Attack Chain

An attacker identifies a vulnerable Tenda F456 router running firmware version 1.0.0.5.
The attacker crafts a malicious HTTP request targeting the /goform/WrlclientSet endpoint.
The crafted request includes an oversized payload designed to overflow the buffer in the fromWrlclientSet function.
The httpd process attempts to process the request without proper bounds checking.
The buffer overflow occurs, overwriting adjacent memory regions, including critical program data and execution pointers.
The attacker gains control of the program execution flow.
The attacker executes arbitrary code on the router, potentially including shell commands or custom malware.
The attacker achieves complete control of the router, potentially enabling network reconnaissance, data exfiltration, or further attacks on the local network.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda F456 router. This can lead to complete device compromise, allowing the attacker to control network traffic, modify router settings, or use the compromised device as a pivot point for further attacks within the network. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploitation could impact thousands of users.

Recommendation

Upgrade to a patched firmware version if available from the vendor.
Implement network segmentation to limit the impact of a compromised router.
Monitor web server logs for suspicious activity targeting the /goform/WrlclientSet endpoint using the provided Sigma rule.
Implement an IPS rule to detect and block exploit attempts targeting CVE-2026-7101.

Tenda F456 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 26 Apr 2026 11:16:06 +0000

A buffer overflow vulnerability has been identified in Tenda F456 router, specifically version 1.0.0.5. The vulnerability resides within the fromSafeClientFilter function located in the /goform/SafeClientFilter file. Successful exploitation allows a remote attacker to inject and execute arbitrary code. Publicly available exploit code exists, increasing the risk of widespread exploitation targeting vulnerable Tenda F456 devices. This issue poses a significant threat to network security, as a compromised router can lead to data breaches, denial of service, or further network intrusion.

Attack Chain

The attacker identifies a Tenda F456 router running firmware version 1.0.0.5 exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/SafeClientFilter endpoint.
The crafted request includes a specially designed payload within the menufacturer/Go argument. This payload is designed to trigger a buffer overflow in the fromSafeClientFilter function.
The fromSafeClientFilter function processes the malicious input without proper bounds checking.
The oversized payload overwrites adjacent memory regions, potentially including return addresses or other critical data.
When the fromSafeClientFilter function attempts to return, the overwritten return address is used, redirecting execution flow to attacker-controlled memory.
The attacker-controlled memory contains shellcode or other malicious instructions.
The router executes the attacker’s code, granting the attacker control over the device.

Impact

Successful exploitation of this vulnerability can result in complete compromise of the Tenda F456 router. An attacker can gain unauthorized access to network traffic, modify router settings, or use the compromised device as a launchpad for further attacks within the network. Given the public availability of exploit code, a large number of Tenda F456 routers could be targeted, potentially affecting numerous home and small business networks. A successful attack could lead to data theft, service disruption, and reputational damage.

Recommendation

Apply any available patches or firmware updates released by Tenda to address CVE-2026-7033 on the F456 1.0.0.5 routers.
Implement network intrusion detection systems (IDS) or intrusion prevention systems (IPS) rules to detect and block malicious requests targeting the /goform/SafeClientFilter endpoint.
Deploy the Sigma rules provided below to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for suspicious POST requests to /goform/SafeClientFilter with abnormally large menufacturer/Go argument values.

Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Buffer Overflow Vulnerability

hello@craftedsignal.io — Sat, 25 Apr 2026 18:18:16 +0000

A buffer overflow vulnerability, identified as CVE-2026-6988, has been discovered in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon. The vulnerability resides within the Boa Service, specifically affecting the formRoute function located in the /boaform/formRouting file. Successful exploitation of this flaw enables a remote attacker to overwrite memory by crafting a malicious request with a manipulated nextHop argument. This can lead to arbitrary code execution on the affected device. Given the potential for remote exploitation and the availability of a published exploit, this vulnerability poses a significant threat.

Attack Chain

The attacker identifies a vulnerable Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device with the vulnerable Boa web service exposed.
The attacker crafts a malicious HTTP request targeting the /boaform/formRouting endpoint.
The crafted request includes a specially crafted nextHop argument, exceeding the buffer size allocated for it.
The Boa service processes the request without proper bounds checking on the nextHop argument.
The oversized nextHop argument overwrites adjacent memory regions, including critical program data or return addresses.
The overwritten return address redirects execution flow to attacker-controlled code.
The attacker executes arbitrary code on the device with the privileges of the Boa service.
The attacker gains control of the device, potentially leading to data exfiltration, device hijacking, or further network compromise.

Impact

Successful exploitation of CVE-2026-6988 can lead to complete compromise of the affected Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device. This may result in unauthorized access to the device’s configuration, sensitive data exposure, or the device being used as a bot in a larger attack. Given that this device is likely used in home or small business environments, a successful attack could lead to significant data breaches, financial losses, and reputational damage. The availability of a public exploit increases the likelihood of widespread exploitation.

Recommendation

Apply available patches or firmware updates released by Tenda to address CVE-2026-6988 as soon as possible.
Implement network segmentation to limit the exposure of Tenda devices to the internet or untrusted networks.
Monitor web server logs for suspicious activity targeting the /boaform/formRouting endpoint to detect potential exploit attempts (webserver log source).
Deploy the Sigma rule “Detect Tenda HG10 Buffer Overflow Attempt” to identify malicious HTTP requests exploiting the nextHop argument (Sigma rule).
Implement rate limiting on the /boaform/formRouting endpoint to mitigate potential brute-force exploitation attempts.

rust-openssl Unchecked Callback Length Memory Leak

hello@craftedsignal.io — Thu, 23 Apr 2026 12:00:00 +0000

The rust-openssl crate, a Rust wrapper for the OpenSSL library, is susceptible to a high-severity vulnerability due to unchecked callback lengths within the FFI trampolines used by several functions related to PSK (Pre-Shared Key) and cookie generation. Specifically, versions 0.9.24 up to (but not including) 0.10.78 are affected. The vulnerable functions include SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb. The issue arises because the user-provided closure’s returned usize (size) value is directly passed to OpenSSL without validation against the size of the &mut [u8] buffer provided to the closure, resulting in potential buffer overflows and memory leaks. This allows an attacker to potentially leak adjacent memory regions to a peer.

Attack Chain

An attacker crafts a malicious application or exploits an existing application using the vulnerable rust-openssl crate.
The attacker triggers one of the vulnerable callback functions (set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, or set_stateless_cookie_generate_cb).
The vulnerable callback function executes the user-provided closure.
The user-provided closure returns a usize value indicating the intended length of the data to be written to the output buffer.
The FFI trampoline forwards this usize value directly to OpenSSL, bypassing bounds checking against the actual buffer size.
If the returned usize exceeds the allocated buffer size, OpenSSL writes beyond the buffer boundary, leading to a buffer overflow.
The buffer overflow allows the attacker to read adjacent memory regions or overwrite data, potentially leaking sensitive information or corrupting program state.
Successful exploitation could lead to information disclosure, denial of service, or potentially arbitrary code execution.

Impact

Successful exploitation of this vulnerability could lead to information disclosure, denial of service, or potentially arbitrary code execution. Given the widespread use of the rust-openssl crate in various applications, the impact could be significant, affecting numerous services and potentially exposing sensitive data. The vulnerability allows for memory leakage to peers which could have broad consequences.

Recommendation

Upgrade to rust-openssl version 0.10.78 or later to patch the vulnerability (reference: https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78).
Implement input validation and sanitization within user-provided closures to ensure that the returned usize value does not exceed the allocated buffer size, mitigating the risk even in vulnerable versions.

LanSpy 2.0.1.159 Local Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 22 Apr 2026 16:16:47 +0000

LanSpy version 2.0.1.159 is susceptible to a local buffer overflow vulnerability (CVE-2018-25268). This vulnerability, reported in April 2026, stems from insufficient input validation within the application’s scan field. An attacker, with local access to a vulnerable system, can exploit this flaw by crafting a specific payload designed to overwrite the instruction pointer. This can lead to application crashes or, more seriously, the potential execution of arbitrary code. The vulnerability exists because the application does not properly handle oversized input to the scan field.

Attack Chain

Attacker gains local access to a system with LanSpy 2.0.1.159 installed.
The attacker crafts a malicious payload consisting of 688 bytes of padding.
The attacker appends 4 bytes of controlled data (representing the desired instruction pointer overwrite) to the padding.
The attacker inputs this crafted payload into the “scan field” of the LanSpy application.
Due to the buffer overflow vulnerability, the oversized input overwrites the application’s buffer on the stack.
The 4 bytes of controlled data overwrite the instruction pointer (EIP on x86 architectures).
When the application attempts to return from the vulnerable function, it jumps to the address specified by the attacker-controlled instruction pointer.
This jump can lead to a crash or, if the attacker provides a valid address containing malicious code, code execution within the context of the LanSpy application.

Impact

Successful exploitation of this vulnerability allows an attacker to potentially execute arbitrary code on the affected system with the privileges of the user running LanSpy. While the exploit requires local access, it can be leveraged to escalate privileges or establish persistence on the compromised machine. There are no reliable victim counts or sectors targeted available.

Recommendation

Due to the age of this software and the lack of available patches, consider uninstalling LanSpy 2.0.1.159 from systems where it is present.
Monitor process execution for unexpected crashes of LanSpy using the process_creation log source to identify exploitation attempts.
Deploy the Sigma rule to detect potential buffer overflow exploitation attempts by monitoring for abnormally large inputs to the LanSpy process in process_creation logs.

H3C Magic B1 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 19 Apr 2026 23:16:33 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-6581, affects H3C Magic B1 routers up to version 100R004. The vulnerability resides in the SetMobileAPInfoById function within the /goform/aspForm file. An attacker can exploit this flaw by crafting a malicious request that manipulates the param argument, leading to a buffer overflow and potential remote code execution. This vulnerability is particularly concerning because a public exploit is available, increasing the risk of widespread exploitation. The vendor was notified about the vulnerability but has not responded. Given the ease of exploitation and the potential for complete system compromise, organizations using affected H3C routers should take immediate action.

Attack Chain

The attacker identifies a vulnerable H3C Magic B1 router running a firmware version up to 100R004.
The attacker crafts a malicious HTTP POST request targeting the /goform/aspForm endpoint.
The request includes the SetMobileAPInfoById function call with an overly long value for the param argument, triggering the buffer overflow.
The overflow overwrites adjacent memory regions, including the return address on the stack.
The attacker sets the overwritten return address to point to attacker-controlled code or a ROP chain.
When the SetMobileAPInfoById function returns, execution jumps to the attacker-controlled code.
The attacker’s code executes with elevated privileges, potentially allowing full control of the router.
The attacker can then use the compromised router to establish a foothold within the network, exfiltrate data, or launch further attacks.

Impact

Successful exploitation of CVE-2026-6581 allows a remote attacker to execute arbitrary code with root privileges on the H3C Magic B1 router. This can lead to complete compromise of the device, allowing the attacker to control network traffic, exfiltrate sensitive data, or use the router as a jumping-off point for further attacks within the network. Given the widespread use of these routers in small to medium-sized businesses and homes, a large number of devices are potentially vulnerable. There is no indication of victim counts or sectors targeted at this time.

Recommendation

Deploy the Sigma rule Detect H3C Magic B1 Buffer Overflow Attempt to your SIEM to detect exploitation attempts targeting CVE-2026-6581 via suspicious HTTP POST requests to /goform/aspForm (see Sigma rule below).
Apply appropriate input validation and sanitization measures if you manage the web server to mitigate buffer overflows.
Monitor network traffic for unusual activity originating from H3C Magic B1 routers.
Consider replacing H3C Magic B1 routers with more secure alternatives if updates are not available.

H3C Magic B0 Router Buffer Overflow Vulnerability (CVE-2026-6560)

hello@craftedsignal.io — Sun, 19 Apr 2026 07:16:05 +0000

A critical buffer overflow vulnerability (CVE-2026-6560) has been identified in H3C Magic B0 routers, specifically in versions up to 100R002. The vulnerability resides within the Edit_BasicSSID function of the /goform/aspForm file. An attacker can remotely exploit this flaw by crafting malicious input to the param argument, leading to arbitrary code execution on the device. Public exploits are reportedly available, increasing the risk of widespread exploitation. The vendor was notified about this vulnerability, but has not provided any response or patch as of April 2026. This poses a significant risk to users of the affected H3C Magic B0 routers.

Attack Chain

The attacker identifies a vulnerable H3C Magic B0 router running firmware version 100R002 or earlier.
The attacker crafts a malicious HTTP POST request targeting the /goform/aspForm endpoint.
The POST request includes the Edit_BasicSSID function call.
The param argument within the POST data contains a specially crafted string exceeding the buffer size allocated in the Edit_BasicSSID function.
The buffer overflow occurs when the Edit_BasicSSID function processes the oversized param argument without proper bounds checking.
The overflow overwrites adjacent memory regions, potentially including the return address on the stack.
The attacker gains control of the program execution flow.
The attacker executes arbitrary code on the router, potentially gaining full control of the device, exfiltrating data, or using it as a pivot point for further attacks.

Impact

Successful exploitation of this buffer overflow vulnerability (CVE-2026-6560) allows a remote attacker to execute arbitrary code on the affected H3C Magic B0 router. This could lead to a complete compromise of the device, including the ability to modify router settings, intercept network traffic, and potentially gain access to connected devices on the network. Given the availability of public exploits, widespread exploitation is possible, potentially impacting a large number of home and small business networks.

Recommendation

Monitor web server logs for suspicious POST requests to /goform/aspForm with unusually long param arguments (refer to the Attack Chain section).
Implement rate limiting for requests to /goform/aspForm to mitigate potential exploitation attempts (refer to the Attack Chain section).
Deploy the following Sigma rule to detect exploitation attempts targeting the vulnerable Edit_BasicSSID function.
Block network traffic originating from or destined to H3C Magic B0 devices until a patch is available.

Firebird Database Server Slice Packet Deserialization Buffer Overflow

hello@craftedsignal.io — Fri, 17 Apr 2026 19:16:36 +0000

Firebird, a widely used open-source relational database management system, is susceptible to a critical buffer overflow vulnerability. Present in versions prior to 5.0.4, 4.0.7, and 3.0.14, the vulnerability resides within the xdr_datum() function, responsible for deserializing slice packets. This function fails to adequately validate the length of cstring data against the slice descriptor bounds. Consequently, an attacker can craft a malicious packet containing an oversized cstring, leading to a buffer overflow. An unauthenticated attacker exploiting this vulnerability can send a crafted packet to the Firebird server, potentially causing a denial-of-service condition via a crash or, more seriously, achieving arbitrary code execution on the affected system. Organizations utilizing vulnerable Firebird versions are urged to upgrade to versions 5.0.4, 4.0.7, or 3.0.14 to mitigate this risk.

Attack Chain

The attacker identifies a Firebird server running a vulnerable version (prior to 5.0.4, 4.0.7, or 3.0.14).
The attacker crafts a malicious slice packet designed to exploit the xdr_datum() function’s insufficient bounds checking. This packet includes an overly long cstring.
The attacker establishes a network connection to the Firebird server.
The attacker transmits the crafted malicious slice packet to the Firebird server.
The Firebird server’s xdr_datum() function processes the malicious packet without proper cstring length validation.
The oversized cstring overflows the allocated buffer during deserialization.
The buffer overflow corrupts adjacent memory regions, potentially overwriting critical data structures or executable code.
Depending on the overwritten memory, the server either crashes, leading to denial of service, or the attacker achieves arbitrary code execution, enabling them to gain control of the system.

Impact

Successful exploitation of this vulnerability could lead to a denial-of-service condition due to a server crash, disrupting database services and impacting applications reliant on the Firebird database. In a more severe scenario, an attacker could gain arbitrary code execution on the server, allowing them to potentially steal sensitive data, compromise the integrity of the database, or use the compromised server as a launchpad for further attacks within the network. While specific victim counts are unavailable, the widespread use of Firebird implies a significant potential impact across various sectors.

Recommendation

Immediately upgrade Firebird servers to versions 5.0.4, 4.0.7, or 3.0.14 to patch CVE-2026-33337 and eliminate the buffer overflow vulnerability.
Deploy the Sigma rule “Detect Firebird Slice Packet Overflow Attempt” to identify potential exploitation attempts based on anomalous network traffic patterns.
Monitor network traffic for connections to Firebird servers originating from unexpected or untrusted sources to detect potential reconnaissance or exploitation attempts. Enable network connection logging to support this monitoring.

Openfind MailGates/MailAudit Stack-based Buffer Overflow (CVE-2026-6350)

hello@craftedsignal.io — Thu, 16 Apr 2026 03:16:30 +0000

Openfind MailGates and MailAudit are susceptible to a critical stack-based buffer overflow vulnerability, identified as CVE-2026-6350. This flaw allows unauthenticated remote attackers to gain control over the program’s execution flow and execute arbitrary code on the affected system. The vulnerability stems from insufficient input validation, leading to a buffer overflow when processing specifically crafted requests. Given the nature of MailGates/MailAudit as email security solutions, successful exploitation can lead to a full compromise of the email infrastructure and potential data breaches. The vulnerability was reported on April 15, 2026, and affects undisclosed versions of MailGates/MailAudit.

Attack Chain

An unauthenticated remote attacker identifies a vulnerable MailGates/MailAudit instance.
The attacker crafts a malicious network request specifically designed to trigger the stack-based buffer overflow in MailGates/MailAudit.
The attacker sends the crafted request to the targeted MailGates/MailAudit server.
The vulnerable application receives and processes the malicious request without proper input sanitization.
The oversized input overwrites adjacent memory on the stack, including the return address.
When the function attempts to return, it jumps to an address controlled by the attacker.
The attacker-controlled address points to shellcode injected within the overflowing buffer or elsewhere in memory.
The shellcode executes arbitrary commands on the server, potentially leading to complete system compromise and data exfiltration.

Impact

Successful exploitation of CVE-2026-6350 allows unauthenticated remote attackers to execute arbitrary code on the MailGates/MailAudit server. This can result in full system compromise, allowing attackers to steal sensitive email data, modify email content, or use the compromised server as a launchpad for further attacks. Given that MailGates/MailAudit are used by numerous organizations for email security, a successful widespread attack could impact potentially thousands of organizations and millions of users.

Recommendation

Monitor web server logs for unusual request patterns indicative of buffer overflow attempts targeting MailGates/MailAudit.
Inspect network traffic for suspicious payloads being sent to MailGates/MailAudit servers, looking for patterns that could indicate exploit attempts.
Deploy the Sigma rule provided below to detect potential exploitation attempts targeting CVE-2026-6350.
Consult Openfind’s security advisories for patches and mitigation steps specific to CVE-2026-6350.
If available apply updates provided by Openfind to remediate CVE-2026-6350 on the MailGates/MailAudit servers.

GIMP GIF Image Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 15 Apr 2026 20:16:44 +0000

A buffer overflow vulnerability, CVE-2026-6384, has been identified in the GIF image loading component of GIMP (GNU Image Manipulation Program). The vulnerability resides within the ReadJeffsImage function. An attacker can exploit this flaw by crafting a malicious GIF file that, when processed by GIMP, causes a write operation beyond the allocated buffer. Successful exploitation can result in a denial of service (DoS) condition or, potentially, arbitrary code execution. This vulnerability poses a risk to systems where GIMP is used to process potentially untrusted GIF files.

Attack Chain

An attacker crafts a malicious GIF file designed to trigger the buffer overflow.
The attacker delivers the malicious GIF file to a target user, potentially through social engineering or a compromised website.
The user opens the malicious GIF file with GIMP.
GIMP’s ReadJeffsImage function attempts to process the malformed GIF data.
The ReadJeffsImage function writes beyond the bounds of an allocated buffer due to insufficient size validation.
This buffer overflow overwrites adjacent memory regions.
If the overwritten memory contains critical program data or executable code, it can lead to a denial of service.
In a more sophisticated attack, the overflow could be carefully crafted to overwrite execution flow and achieve arbitrary code execution.

Impact

Successful exploitation of this buffer overflow vulnerability (CVE-2026-6384) can lead to a denial-of-service condition, crashing the GIMP application and preventing users from processing images. More critically, it can potentially allow an attacker to execute arbitrary code on the affected system, leading to complete system compromise. The vulnerability affects any system where a user opens a malicious GIF file using a vulnerable version of GIMP.

Recommendation

Apply the security patches provided by GIMP to address CVE-2026-6384.
Deploy the Sigma rule DetectSuspiciousGimpProcess to detect potential exploitation attempts based on process execution (log source: process_creation).
Monitor file access events (file_event) for GIMP accessing unusual or temporary file locations when opening GIF files.
Educate users to be cautious when opening GIF files from untrusted sources to mitigate initial access vectors.

CVE-2026-32195 Windows Kernel Stack-Based Buffer Overflow Privilege Escalation

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

CVE-2026-32195 is a high-severity vulnerability affecting the Windows Kernel. This stack-based buffer overflow can be exploited by an attacker with local access to elevate their privileges. The vulnerability was published on April 14, 2026. The vulnerability exists within the Windows Kernel, a core component of the operating system, making it a critical target for exploitation. Successful exploitation could lead to complete system compromise, allowing the attacker to perform any action on the system. While the exact details of the vulnerable code are not provided in the source material, the nature of a stack-based buffer overflow suggests careful memory manipulation is required for successful exploitation.

Attack Chain

Attacker gains initial access to the system with standard user privileges.
Attacker identifies the presence of CVE-2026-32195 in the target Windows Kernel version.
Attacker crafts a malicious payload designed to overflow the stack buffer when processed by the vulnerable kernel function.
The attacker executes a program or triggers a specific kernel function call that processes the crafted payload.
The overflow overwrites critical return addresses or other sensitive data on the stack.
The overwritten return address redirects execution to attacker-controlled code, allowing for arbitrary code execution within the kernel context.
The attacker’s code executes with elevated privileges, such as SYSTEM.
Attacker leverages elevated privileges to install malware, modify system configurations, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-32195 allows an attacker to elevate their privileges from a standard user to SYSTEM. This grants the attacker complete control over the compromised system, enabling them to install malicious software, steal sensitive data, or disrupt critical services. The impact is severe, as it bypasses normal access controls and allows for unrestricted access to system resources. While the exact number of potential victims is unknown, all Windows systems with the vulnerable kernel version are susceptible to this attack.

Recommendation

Apply the patch released by Microsoft to address CVE-2026-32195 as soon as possible. The update is available through the Microsoft Security Response Center (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32195).
Monitor systems for unexpected kernel-level modifications or privilege escalation attempts using endpoint detection and response (EDR) solutions.
Enable Sysmon process creation logging to detect suspicious processes spawned by kernel exploits to activate the first Sigma rule below.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Microsoft Graphics Component Heap-based Buffer Overflow Vulnerability (CVE-2026-32221)

hello@craftedsignal.io — Tue, 14 Apr 2026 18:17:30 +0000

CVE-2026-32221 describes a heap-based buffer overflow vulnerability residing within the Microsoft Graphics Component. This flaw allows an attacker with local access to execute arbitrary code on a vulnerable system. The vulnerability stems from improper handling of memory allocation within the graphics component when processing malformed or specially crafted image files or graphics data. An unauthenticated, local attacker could exploit this vulnerability to gain elevated privileges or potentially take control of the targeted system. The vulnerability was published on April 14, 2026, and defenders should promptly investigate and apply applicable patches as provided by Microsoft.

Attack Chain

An attacker crafts a malicious image file or graphic data specifically designed to trigger the buffer overflow in the Microsoft Graphics Component.
The attacker must gain local access to a vulnerable system. This could be achieved through various means, such as social engineering or exploiting other existing vulnerabilities.
The attacker triggers the vulnerable graphics component to process the malicious image file or graphic data through a local application that uses the component.
The Microsoft Graphics Component attempts to allocate memory to process the crafted image, but the size calculation is flawed.
The component writes data beyond the allocated buffer on the heap due to the buffer overflow.
This overwrite corrupts adjacent heap memory, potentially overwriting critical data structures or function pointers.
The attacker gains control of the program execution flow by overwriting function pointers with malicious code addresses.
The attacker executes arbitrary code within the context of the application using the graphics component, potentially leading to privilege escalation or system compromise.

Impact

Successful exploitation of CVE-2026-32221 allows a local attacker to execute arbitrary code on the target system. Given the high CVSS score (8.4), this vulnerability poses a significant risk. If successfully exploited, an attacker could potentially gain complete control of the compromised system, leading to data theft, malware installation, or denial of service. The impact is significant for any system utilizing the vulnerable Microsoft Graphics Component, affecting both workstations and servers. The scope of the impact is limited to local access, but it can be a stepping stone for more far-reaching attacks if combined with other vulnerabilities or social engineering techniques.

Recommendation

Apply the security updates released by Microsoft to address CVE-2026-32221 on all affected systems immediately, as referenced in the advisory URL.
Enable and review process creation logs for unexpected processes spawned by applications that use the Microsoft Graphics Component to identify potential exploitation attempts.
Implement the provided Sigma rule to detect suspicious process execution following a crash or error related to graphics processing.

CVE-2026-26176 Windows CSC Driver Privilege Escalation

hello@craftedsignal.io — Tue, 14 Apr 2026 18:16:53 +0000

CVE-2026-26176 is a critical security vulnerability affecting the Windows Client Side Caching driver (csc.sys). The vulnerability is a heap-based buffer overflow that can be exploited by an authorized, local attacker to gain elevated privileges on the system. The specific version of the driver affected is not detailed, but the vulnerability was disclosed and patched in April 2026. A successful exploit could allow an attacker to perform actions with elevated privileges, potentially leading to full system compromise. This vulnerability highlights the importance of keeping Windows systems up-to-date with the latest security patches to mitigate the risk of exploitation.

Attack Chain

The attacker gains initial access to the target system with low privileges through legitimate means.
The attacker crafts a malicious input designed to trigger the heap-based buffer overflow in csc.sys.
The attacker interacts with the Client Side Caching driver (csc.sys) via a local API call, passing the malicious input.
The malicious input overwrites adjacent memory on the heap due to the buffer overflow.
The attacker carefully manipulates the overwritten memory to gain control of critical system structures.
The attacker leverages the controlled memory to overwrite function pointers within the kernel.
The attacker triggers the execution of the overwritten function pointer, redirecting control to attacker-supplied code.
The attacker’s code executes with elevated privileges, allowing the attacker to perform privileged actions on the system.

Impact

Successful exploitation of CVE-2026-26176 allows a local attacker with low privileges to escalate their privileges to SYSTEM. This could lead to complete system compromise, including the installation of malware, exfiltration of sensitive data, or disruption of critical services. While the number of affected systems is currently unknown, all unpatched Windows systems are potentially vulnerable. Organizations that do not promptly apply the security update released by Microsoft are at significant risk of exploitation.

Recommendation

Apply the Microsoft security update released to address CVE-2026-26176 on all affected Windows systems immediately. The specific update can be found on the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26176.
Monitor for abnormal behavior of the csc.exe process using the “Detect Suspicious Csc.exe Process Creation” Sigma rule to detect potential exploitation attempts.
Enable process creation auditing with command line arguments to ensure the Sigma rules can detect malicious activity.

Totolink A3002MU Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 12:00:00 +0000

CVE-2026-6194 describes a stack-based buffer overflow vulnerability present in Totolink A3002MU router firmware version B20211125.1046. The vulnerability resides within the HTTP Request Handler, specifically in the sub_410188 function of the /boafrm/formWlanSetup file. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the wan-url argument, leading to arbitrary code execution on the device. Publicly available exploit code increases the likelihood of exploitation. Successful exploitation allows an attacker to compromise the device and potentially gain control of the network.

Attack Chain

The attacker identifies a vulnerable Totolink A3002MU router running firmware B20211125.1046.
The attacker crafts a malicious HTTP POST request targeting the /boafrm/formWlanSetup endpoint.
The crafted request includes a wan-url argument with a payload exceeding the buffer size allocated for it in the sub_410188 function.
The HTTP Request Handler processes the request and calls the vulnerable sub_410188 function.
Due to insufficient bounds checking, the oversized wan-url argument overflows the stack buffer.
The attacker overwrites critical data on the stack, including the return address.
Upon returning from the sub_410188 function, execution is redirected to an attacker-controlled address.
The attacker executes arbitrary code, potentially gaining full control of the router.

Impact

Successful exploitation of CVE-2026-6194 can lead to complete compromise of the affected Totolink A3002MU router. This allows attackers to eavesdrop on network traffic, modify DNS settings, inject malicious code into web pages served to connected clients, or use the compromised router as a botnet node. Given the widespread use of these routers, a large number of devices could be at risk, potentially impacting home and small business networks.

Recommendation

Monitor web server logs for suspicious POST requests to /boafrm/formWlanSetup with unusually long wan-url parameters to detect potential exploitation attempts (see Sigma rule “Detect Suspicious WAN-URL Parameter Length”).
Deploy the Sigma rules provided in this brief to your SIEM to detect and alert on potential exploitation attempts.
If possible, block requests matching the patterns identified in the Sigma rules at your network perimeter.

TOTOLINK A7000R Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 13 Apr 2026 07:16:51 +0000

A stack-based buffer overflow vulnerability, tracked as CVE-2026-6168, has been identified in TOTOLINK A7000R routers with firmware versions up to 9.1.0u.6115. The vulnerability resides within the setWiFiEasyGuestCfg function located in the /cgi-bin/cstecgi.cgi file. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. Given the widespread use of TOTOLINK devices, this vulnerability poses a significant threat to home and small business networks. Exploitation is possible with low privileges, as it only requires authentication to the device’s web interface.

Attack Chain

Attacker authenticates to the TOTOLINK A7000R web interface. This step assumes default credentials or compromised credentials.
The attacker crafts a malicious HTTP POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
The request includes the setWiFiEasyGuestCfg function call.
The ssid5g argument within the POST request is populated with a string exceeding the buffer’s capacity.
The vulnerable setWiFiEasyGuestCfg function in /cgi-bin/cstecgi.cgi processes the oversized ssid5g argument without proper bounds checking.
This leads to a stack-based buffer overflow, overwriting adjacent memory regions.
The attacker leverages the overflow to inject and execute arbitrary code on the device.
Successful code execution can grant the attacker full control of the router, enabling further malicious activities.

Impact

Successful exploitation of CVE-2026-6168 allows a remote attacker to execute arbitrary code on the vulnerable TOTOLINK A7000R device. This can lead to complete compromise of the router, including the ability to intercept network traffic, modify DNS settings, inject malicious scripts into websites, and use the router as a pivot point for further attacks within the network. This vulnerability affects potentially thousands of devices, particularly in home and small business environments.

Recommendation

Apply firmware updates immediately if TOTOLINK releases a patch for CVE-2026-6168.
Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually long ssid5g parameters, using the provided Sigma rule.
Implement network intrusion detection systems (IDS) rules to detect attempts to exploit stack-based buffer overflows targeting TOTOLINK devices.
Restrict access to the router’s web interface to trusted IP addresses, if possible.
Enforce strong and unique passwords for all router accounts.

Samsung Escargot Out-of-Bounds Write Vulnerability (CVE-2026-25207)

hello@craftedsignal.io — Mon, 13 Apr 2026 05:17:17 +0000

CVE-2026-25207 is an out-of-bounds write vulnerability affecting Samsung Open Source Escargot, specifically version 97e8115ab1110bc502b4b5e4a0c689a71520d335. This flaw allows attackers to potentially overwrite memory buffers, leading to denial of service or arbitrary code execution. The vulnerability arises due to insufficient bounds checking when handling specific data inputs within the Escargot software. Successful exploitation of this vulnerability could grant an attacker elevated privileges or control over the affected system. The severity of the vulnerability is rated as HIGH with a CVSS score of 7.4, indicating a significant risk to systems running vulnerable versions of Escargot.

Attack Chain

An attacker crafts a malicious input designed to trigger the out-of-bounds write.
The malicious input is sent to the vulnerable Escargot application. This could involve exploiting a network service that relies on Escargot for data processing.
Escargot processes the malicious input without proper bounds checking.
The lack of bounds checking allows the input to write data beyond the allocated buffer.
The out-of-bounds write overwrites adjacent memory regions, potentially corrupting program data or code.
The memory corruption leads to a crash or allows the attacker to overwrite critical function pointers.
If function pointers are successfully overwritten, the attacker gains control of program execution.
The attacker can execute arbitrary code with the privileges of the Escargot process.

Impact

Successful exploitation of CVE-2026-25207 can lead to arbitrary code execution with the privileges of the Escargot process. This can result in complete system compromise, data loss, or denial of service. Given the potential for remote code execution, this vulnerability poses a significant risk to systems utilizing the vulnerable Escargot version.

Recommendation

Apply the patch provided in the associated GitHub pull request to remediate the vulnerability. (https://github.com/Samsung/escargot/pull/1554)
Monitor systems for unexpected crashes or memory corruption events related to the Escargot process.
Implement input validation and sanitization measures to prevent malicious inputs from reaching the vulnerable code.

Totolink A800R Remote Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 13 Apr 2026 04:26:40 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-6157, has been discovered in Totolink A800R routers running firmware version 4.1.2cu.5137_B20200730. The vulnerability resides within the setAppEasyWizardConfig function in the /lib/cste_modules/app.so library. Successful exploitation allows remote attackers to potentially execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers are often the perimeter defense for networks making them lucrative targets.

Attack Chain

The attacker identifies a vulnerable Totolink A800R router with firmware version 4.1.2cu.5137_B20200730 exposed to the internet.
The attacker crafts a malicious HTTP request targeting the setAppEasyWizardConfig function.
The malicious request includes an overly long string as the value for the apcliSsid argument.
The router receives the HTTP request and passes the apcliSsid argument to the setAppEasyWizardConfig function.
The setAppEasyWizardConfig function copies the contents of apcliSsid into a fixed-size buffer without proper bounds checking.
The overly long apcliSsid string overflows the buffer, overwriting adjacent memory locations.
The attacker carefully crafts the overflowed data to overwrite the return address of the function.
When the function returns, control is transferred to the attacker’s code, leading to arbitrary code execution. This could lead to the installation of malware or complete control of the device.

Impact

Successful exploitation of this buffer overflow vulnerability grants the attacker the ability to execute arbitrary code on the affected Totolink A800R router. This can result in complete compromise of the device, enabling the attacker to intercept network traffic, modify router settings, or use the router as a launching point for further attacks within the network. Given the availability of public exploits, a large number of devices could be vulnerable, making this a high-impact threat.

Recommendation

Apply any available firmware updates from Totolink to patch CVE-2026-6157.
Monitor network traffic for suspicious HTTP requests targeting the setAppEasyWizardConfig function, as described in the attack chain. Deploy the provided Sigma rule to detect potential exploitation attempts.
Implement network segmentation to limit the impact of a compromised router.
If updates are unavailable, consider replacing the vulnerable device.
Disable remote management access to the router to reduce the attack surface.

Easy Video to iPod Converter 1.6.20 Local Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:32 +0000

Easy Video to iPod Converter version 1.6.20 is susceptible to a local buffer overflow vulnerability (CVE-2019-25701) within the user registration functionality. This vulnerability allows an attacker with local access to the system to potentially overwrite the Structured Exception Handler (SEH) by providing a crafted payload larger than 996 bytes in the username field during registration. This could lead to arbitrary code execution within the context of the user running the vulnerable application. Successful exploitation requires a local attacker with the ability to interact with the Easy Video to iPod Converter software. This vulnerability was published on 2026-04-12 and poses a significant risk because it allows for local privilege escalation.

Attack Chain

The attacker gains local access to a system with Easy Video to iPod Converter 1.6.20 installed.
The attacker launches the Easy Video to iPod Converter application.
The attacker navigates to the user registration field within the application.
The attacker inputs a specially crafted payload exceeding 996 bytes into the username registration field.
Due to the buffer overflow vulnerability, the payload overwrites the Structured Exception Handler (SEH).
The application attempts to handle an exception, triggering the overwritten SEH.
Control is transferred to the attacker’s payload within the overwritten SEH.
The attacker executes arbitrary code with the privileges of the user running the application.

Impact

Successful exploitation of CVE-2019-25701 allows a local attacker to execute arbitrary code on the targeted system. This could lead to privilege escalation, allowing the attacker to gain elevated access and control over the system. The impact includes potential data theft, system compromise, and further malicious activities initiated from the compromised host. The severity is high due to the potential for full system compromise, and the vulnerability is exploitable locally.

Recommendation

Monitor process creations for suspicious processes spawned from the Easy Video to iPod Converter executable, as this may indicate successful exploitation (see rule: “Suspicious Process Creation from Easy Video to iPod Converter”).
Monitor for registry modifications performed by the Easy Video to iPod Converter process, as some exploitation techniques might involve persistence mechanisms via registry keys (see rule: “Registry Modification by Easy Video to iPod Converter”).
Consider upgrading or removing the vulnerable application if a patch is not available to mitigate CVE-2019-25701.

RGui 3.5.0 Local Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:31 +0000

RGui 3.5.0, a component of the R programming language distribution for Windows, is vulnerable to a local buffer overflow in its GUI preferences dialog. This vulnerability, identified as CVE-2018-25258, allows an attacker with local access to bypass Data Execution Prevention (DEP) and execute arbitrary code. The attack involves crafting malicious input to the “Language for menus and messages” field within the GUI preferences, triggering a stack-based buffer overflow. This overflow overwrites the Structured Exception Handler (SEH) record, enabling the attacker to redirect execution flow and execute a Return-Oriented Programming (ROP) chain. The ROP chain is then used to allocate memory using VirtualAlloc and ultimately execute arbitrary code. This vulnerability impacts systems running the affected version of RGui.

Attack Chain

The attacker gains local access to a Windows system running RGui 3.5.0.
The attacker opens the GUI preferences dialog within RGui.
The attacker inputs a specially crafted string into the “Language for menus and messages” field. This string is designed to overflow the buffer on the stack.
The buffer overflow overwrites the SEH record, replacing the legitimate handler address with the address of a ROP chain.
An exception occurs due to the overflow, triggering the SEH.
Instead of the legitimate exception handler, the attacker’s ROP chain is executed.
The ROP chain calls VirtualAlloc to allocate a region of memory with execute permissions.
The attacker copies malicious code into the newly allocated memory and transfers control to it, achieving arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code with the privileges of the user running RGui. This could lead to the installation of malware, data theft, or complete system compromise. While the vulnerability requires local access, it represents a significant risk to systems where untrusted users have access to RGui. The vulnerability affects RGui version 3.5.0.

Recommendation

Upgrade to a later version of RGui that addresses the CVE-2018-25258 vulnerability if available.
Monitor process creations for rgui.exe spawning unusual child processes or making unexpected network connections, using a process creation log source.
Implement application whitelisting to prevent the execution of unauthorized programs.
Deploy the Sigma rule for detecting potential ROP chain execution to identify exploitation attempts.

HTML5 Video Player 1.2.5 Local Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:31 +0000

HTML5 Video Player version 1.2.5 is susceptible to a local buffer overflow vulnerability (CVE-2019-25689). An attacker can exploit this flaw by crafting a malicious payload exceeding 997 bytes and pasting it into the “KEY CODE” field located within the Help Register dialog. Successful exploitation leads to arbitrary code execution within the context of the application, as demonstrated by spawning a calculator process. This vulnerability, discovered in 2019 but only recently published, highlights the importance of keeping software up to date and being cautious about user-supplied input, even in seemingly benign interfaces. The vulnerability has a CVSS v3.1 score of 8.4, indicating a high severity due to the potential for complete system compromise.

Attack Chain

Attacker identifies a vulnerable instance of HTML5 Video Player 1.2.5.
Attacker opens the Help Register dialog within the HTML5 Video Player.
Attacker prepares a malicious payload exceeding 997 bytes, designed to overwrite the buffer.
Attacker copies the crafted payload into the “KEY CODE” field within the Help Register dialog.
The application attempts to process the oversized key code, triggering the buffer overflow.
The overflow overwrites adjacent memory, including the instruction pointer.
The instruction pointer is redirected to attacker-controlled code within the payload.
The attacker-controlled code executes, spawning a calculator process as proof of concept, but can be any arbitrary code.

Impact

Successful exploitation of this buffer overflow vulnerability grants the attacker the ability to execute arbitrary code within the context of the affected HTML5 Video Player process. While the proof-of-concept exploit spawns a calculator, attackers could leverage this vulnerability to install malware, steal sensitive data, or pivot to other systems on the network. Due to the local nature of the attack, the impact is limited to systems where the vulnerable software is installed and the attacker has local access.

Recommendation

Although no patch is available, consider uninstalling HTML5 Video Player 1.2.5 or restricting access to systems where it is installed to mitigate the risk of CVE-2019-25689.
Monitor process creations for suspicious child processes spawned from the HTML5 Video Player executable using the Suspicious Child Process of HTML5 Video Player Sigma rule.
Implement application whitelisting to prevent the execution of unauthorized code, which can help to mitigate the impact of successful exploitation.

Tenda F451 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 12:00:00 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda F451 router firmware version 1.0.0.7. The vulnerability resides in the fromDhcpListClient function within the /goform/DhcpListClient component’s httpd service. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious page argument. This can lead to arbitrary code execution on the device. Given the public availability of the exploit (CVE-2026-6120), Tenda F451 routers are at immediate risk of compromise if not properly secured. This vulnerability poses a significant threat due to the widespread use of Tenda routers in home and small office environments.

Attack Chain

Attacker identifies a Tenda F451 router running vulnerable firmware version 1.0.0.7.
The attacker crafts a malicious HTTP GET or POST request targeting the /goform/DhcpListClient endpoint.
The crafted request includes a page argument with a string exceeding the buffer size allocated for it in the fromDhcpListClient function.
The httpd service on the router receives the malicious request and passes the page argument to the vulnerable function.
The fromDhcpListClient function attempts to copy the oversized page argument into a fixed-size buffer on the stack, causing a buffer overflow.
The overflow overwrites adjacent stack memory, including the return address of the function.
The attacker controls the overwritten return address, redirecting execution to attacker-controlled code or a ROP chain.
The attacker gains arbitrary code execution on the router, potentially leading to complete device compromise and network access.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda F451 router. This allows attackers to control the device, intercept network traffic, change DNS settings, inject malicious scripts into web pages served to connected devices, or use the router as a pivot point for further attacks within the network. This vulnerability affects all users of the Tenda F451 router running firmware version 1.0.0.7, potentially impacting thousands of devices globally. Given the high CVSS score of 8.8, the risk is substantial.

Recommendation

Monitor web server logs for suspicious requests targeting the /goform/DhcpListClient endpoint, especially those with unusually long page parameters (refer to the rule Tenda F451 Suspicious URI Length).
Inspect network traffic for abnormal patterns related to compromised routers (unusual DNS requests, connections to known malicious IPs).
Implement rate limiting and input validation on web server endpoints where possible to mitigate buffer overflow attempts.
Apply any available firmware updates from Tenda to patch CVE-2026-6120, although patches may not be available.
Consider deploying network intrusion detection systems (NIDS) to identify and block exploitation attempts (refer to the Tenda F451 Buffer Overflow Attempt rule).

Tenda F451 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 08:16:37 +0000

A critical stack-based buffer overflow vulnerability has been identified in Tenda F451 router version 1.0.0.7. The vulnerability resides within the frmL7ProtForm function of the /goform/L7Prot component, specifically within the httpd service. A remote attacker can exploit this flaw by crafting a malicious request targeting the page argument. Successful exploitation allows the attacker to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected devices, potentially leading to full device compromise.

Attack Chain

Attacker identifies a vulnerable Tenda F451 router running firmware version 1.0.0.7.
Attacker crafts a malicious HTTP GET or POST request targeting the /goform/L7Prot endpoint.
The malicious request includes the page argument with a payload exceeding the buffer size allocated for it within the frmL7ProtForm function.
The httpd service processes the request without proper bounds checking on the page argument.
The oversized payload overflows the stack buffer during the execution of the frmL7ProtForm function.
The buffer overflow overwrites adjacent memory regions on the stack, including the return address.
The attacker-controlled return address redirects execution to attacker-supplied code or a return-oriented programming (ROP) chain.
The attacker executes arbitrary code on the router, potentially gaining full control of the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F451 router. This can lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the device as a bot in a botnet. Given the availability of public exploits, vulnerable devices are at high risk of compromise. The number of potentially affected devices is substantial, as the Tenda F451 is a widely used router model.

Recommendation

Monitor web server logs for requests to /goform/L7Prot with unusually long page parameters, deploying the Sigma rule Detect Tenda F451 Buffer Overflow Attempt to identify potential exploitation attempts.
Since no patch is available, consider replacing the Tenda F451 1.0.0.7 with a more secure router or firewall solution.
Implement network segmentation to limit the impact of a compromised router on other network devices.
Disable remote administration access to the router to reduce the attack surface.

Tenda F451 Stack-Based Buffer Overflow Vulnerability (CVE-2026-6121)

hello@craftedsignal.io — Sun, 12 Apr 2026 08:16:36 +0000

CVE-2026-6121 is a stack-based buffer overflow vulnerability affecting Tenda F451 router version 1.0.0.7. The vulnerability resides within the WrlclientSet function located in the /goform/WrlclientSet file of the httpd component. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the affected router, specifically manipulating the GO argument. Due to insufficient bounds checking on the GO argument’s size when passed to the WrlclientSet function, an attacker can write beyond the allocated buffer on the stack, potentially leading to arbitrary code execution. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers that are accessible from the internet are at highest risk.

Attack Chain

Attacker identifies a Tenda F451 router version 1.0.0.7 exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/WrlclientSet endpoint.
Within the HTTP POST request, the attacker includes the GO argument, filling it with a payload exceeding the buffer size allocated for it within the WrlclientSet function.
The httpd component of the Tenda F451 router receives the HTTP request and passes the GO argument to the vulnerable WrlclientSet function.
Due to the buffer overflow, the attacker’s payload overwrites adjacent memory locations on the stack.
The attacker’s payload overwrites the return address on the stack, redirecting execution flow to attacker-controlled code.
The attacker-controlled code executes with the privileges of the httpd process, allowing the attacker to perform actions such as modifying router configuration, executing system commands, or establishing a reverse shell.
The attacker gains persistent access to the router and potentially the internal network.

Impact

Successful exploitation of CVE-2026-6121 can lead to complete compromise of the affected Tenda F451 router. An attacker can gain unauthorized access to the device’s configuration, potentially modifying DNS settings, firewall rules, or other critical parameters. This can lead to redirection of user traffic, denial-of-service attacks, or the establishment of a foothold within the targeted network for further malicious activities. Given the ease of exploitation due to the publicly available exploit code, a large number of Tenda F451 routers could be compromised.

Recommendation

Monitor web server logs for POST requests to /goform/WrlclientSet with abnormally long GO parameter values to detect potential exploitation attempts (see Sigma rule below and enable webserver logging).
Implement rate limiting for requests to the /goform/WrlclientSet endpoint to mitigate potential brute-force exploitation attempts (configure your firewall or WAF).
Upgrade to a patched firmware version when available or replace the affected devices, if the vendor does not provide a fix.

osslsigncode Stack Buffer Overflow Vulnerability (CVE-2026-39853)

hello@craftedsignal.io — Thu, 09 Apr 2026 16:16:31 +0000

A stack buffer overflow vulnerability has been identified in osslsigncode, a tool used for Authenticode signing and timestamping. Specifically, versions prior to 2.12 are susceptible to CVE-2026-39853. The vulnerability occurs during the verification of PKCS#7 signatures in PE, MSI, CAB, and script files. The code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (64 bytes) without proper length validation. This allows an attacker to craft a malicious signed file containing an oversized digest field within the SpcIndirectDataContent structure. When a user attempts to verify this malicious file using a vulnerable version of osslsigncode, the resulting unbounded memcpy operation overflows the stack buffer, potentially corrupting adjacent stack state and leading to arbitrary code execution. This vulnerability has been addressed in osslsigncode version 2.12.

Attack Chain

Attacker crafts a malicious signed file (PE, MSI, CAB, or script) with an oversized digest field within the SpcIndirectDataContent structure of the PKCS#7 signature.
The malicious file is distributed to a target user or system.
The target system uses a vulnerable version of osslsigncode (prior to 2.12) to verify the signature of the malicious file using the command osslsigncode verify.
During the signature verification process, osslsigncode parses the SpcIndirectDataContent structure.
The vulnerable code attempts to copy the digest value from the parsed SpcIndirectDataContent into a fixed-size stack buffer (64 bytes) without proper length validation.
Due to the oversized digest field, the memcpy operation overflows the stack buffer.
The stack buffer overflow corrupts adjacent stack state, potentially overwriting return addresses or other critical data.
The corrupted stack state leads to arbitrary code execution under the context of the osslsigncode process, granting the attacker control of the system.

Impact

Successful exploitation of CVE-2026-39853 allows an attacker to execute arbitrary code on a system running a vulnerable version of osslsigncode. This can lead to complete system compromise, data exfiltration, or further malicious activities. While the specific number of affected systems is unknown, any system using osslsigncode for signature verification prior to version 2.12 is potentially vulnerable. The impact is significant, as it can undermine the trust placed in Authenticode signatures.

Recommendation

Upgrade osslsigncode to version 2.12 or later to patch CVE-2026-39853 and prevent stack buffer overflows.
Monitor systems for unexpected crashes or unusual behavior associated with osslsigncode, which could indicate exploitation attempts.
Implement input validation and sanitization on digest lengths during signature verification to prevent similar vulnerabilities in other applications.

Tenda AC15 Router Stack-Based Buffer Overflow (CVE-2026-5830)

hello@craftedsignal.io — Thu, 09 Apr 2026 02:16:17 +0000

A critical stack-based buffer overflow vulnerability, tracked as CVE-2026-5830, has been identified in Tenda AC15 routers running firmware version 15.03.05.18. The vulnerability resides in the websGetVar function within the /goform/SysToolChangePwd file, which handles password change requests. By crafting malicious requests and manipulating the oldPwd, newPwd, or cfmPwd arguments, an attacker can overwrite the stack, potentially leading to arbitrary code execution. The vulnerability is remotely exploitable by an authenticated user, and publicly available exploit code exists, increasing the risk of widespread exploitation. This poses a significant threat to home and small business networks using affected Tenda AC15 routers.

Attack Chain

An attacker gains unauthorized access to the router’s web management interface, potentially through weak credentials or brute-forcing.
The attacker crafts a malicious HTTP POST request to /goform/SysToolChangePwd.
The crafted request includes oversized data within the oldPwd, newPwd, or cfmPwd parameters.
The websGetVar function processes the request without proper bounds checking.
The oversized data overflows the stack buffer, overwriting adjacent memory regions.
The attacker carefully crafts the overflow to overwrite the return address on the stack.
The websGetVar function returns, diverting execution to the attacker-controlled address.
The attacker-controlled address contains shellcode that executes arbitrary commands, potentially granting complete control over the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda AC15 router. This could lead to complete device compromise, including unauthorized access to network traffic, modification of router settings, installation of malware, and use of the compromised device as a botnet node. Given the potentially widespread use of Tenda AC15 routers in home and small business environments, a large number of devices could be vulnerable.

Recommendation

Apply available patches from Tenda to remediate CVE-2026-5830 as soon as they become available.
Monitor webserver logs for suspicious POST requests to /goform/SysToolChangePwd with unusually long oldPwd, newPwd, or cfmPwd parameters and deploy the Sigma rule Detect Tenda AC15 Password Change Overflow.
Implement strong password policies and multi-factor authentication to prevent unauthorized access to the router’s web management interface.
Restrict access to the router’s web management interface to trusted networks only by configuring firewall rules.

ASDA-Soft Stack-based Buffer Overflow Vulnerability (CVE-2026-5726)

hello@craftedsignal.io — Wed, 08 Apr 2026 03:16:07 +0000

CVE-2026-5726 describes a stack-based buffer overflow vulnerability in ASDA-Soft, a software product by Deltaww. This vulnerability, reported and assigned a CVSS v3.1 score of 7.8 by Deltaww, could allow an attacker to execute arbitrary code on a system running the affected software. Successful exploitation requires user interaction, as indicated by the CVSS vector. The specific version of ASDA-Soft affected is detailed in Deltaww’s advisory Delta-PCSA-2026-00007. This vulnerability poses a significant risk to organizations using the affected software, as it could lead to data breaches, system compromise, and other malicious activities. Defenders should apply the provided mitigations to prevent potential exploitation.

Attack Chain

An attacker identifies a vulnerable version of ASDA-Soft running on a target system.
The attacker crafts a malicious input designed to trigger the stack-based buffer overflow. This input likely targets a specific function or data structure within ASDA-Soft.
The attacker delivers the malicious input to the vulnerable ASDA-Soft application, potentially through a specially crafted file or network request requiring user interaction (e.g., opening a malicious project file).
When ASDA-Soft processes the malicious input, the buffer overflow occurs, overwriting adjacent memory on the stack.
The attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow to attacker-controlled code.
The attacker-controlled code is executed with the privileges of the ASDA-Soft process.
The attacker gains control of the system, potentially installing malware, exfiltrating data, or performing other malicious actions.

Impact

Successful exploitation of CVE-2026-5726 allows for arbitrary code execution on the affected system. Given a CVSS score of 7.8, the impact is considered high. While the number of affected systems is currently unknown, organizations using ASDA-Soft are at risk. A successful attack could lead to complete system compromise, data breaches, and disruption of services. The vulnerability requires user interaction, which limits the scope of potential attacks.

Recommendation

Download and review Deltaww’s security advisory Delta-PCSA-2026-00007 for ASDA-Soft to understand the specific affected versions and recommended mitigations.
Monitor network traffic and process execution for suspicious activity related to ASDA-Soft, using the provided Sigma rule for detecting unusual ASDA-Soft processes.
Apply any available patches or updates for ASDA-Soft to remediate CVE-2026-5726.
Implement user awareness training to educate users about the risks of opening untrusted files or clicking on suspicious links that could lead to exploitation of vulnerabilities like CVE-2026-5726.

Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 22:16:24 +0000

A critical stack-based buffer overflow vulnerability has been identified in Tenda CX12L routers running firmware version 16.03.53.12. The vulnerability resides within the fromwebExcptypemanFilter function in the /goform/webExcptypemanFilter file. An attacker with local network access can exploit this flaw by manipulating the page argument passed to this function, leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-5684, has a CVSS v3.1 score of 8.0, indicating a high severity. Public exploits for this vulnerability are available, making it crucial for network administrators to address this issue promptly. Successful exploitation could allow an attacker to gain complete control of the router, potentially leading to data theft, network compromise, or denial of service.

Attack Chain

Attacker gains access to the local network where the Tenda CX12L router is located.
The attacker crafts a malicious HTTP request targeting the /goform/webExcptypemanFilter endpoint.
The crafted request includes a page argument with a payload exceeding the buffer size allocated for it within the fromwebExcptypemanFilter function.
The router processes the HTTP request and passes the overly long page argument to the vulnerable function.
The fromwebExcptypemanFilter function attempts to write the contents of the page argument into a fixed-size buffer on the stack.
Due to the excessive length of the page argument, the buffer overflows, overwriting adjacent memory regions on the stack.
The attacker leverages the buffer overflow to overwrite the return address on the stack with the address of malicious code or a ROP chain.
When the fromwebExcptypemanFilter function returns, control is transferred to the attacker-controlled code, allowing for arbitrary code execution.

Impact

Successful exploitation of CVE-2026-5684 allows an attacker with local network access to gain complete control of the affected Tenda CX12L router. This can lead to a variety of malicious activities, including unauthorized access to network traffic, modification of router settings, deployment of malicious firmware, and use of the compromised router as a botnet node. Given the availability of public exploits, organizations using this router model are at significant risk. The number of potential victims is dependent on the number of unpatched Tenda CX12L devices deployed.

Recommendation

Monitor webserver logs for HTTP requests targeting the /goform/webExcptypemanFilter endpoint with abnormally long page parameters to detect potential exploitation attempts. (Log Source: webserver, Rule: “Detect Tenda CX12L Web Request with Long Page Parameter”)
Deploy the Sigma rule “Detect Tenda CX12L Stack Buffer Overflow Attempt” to identify suspicious process creations following a potential exploit.
Review and restrict local network access to the Tenda CX12L router to reduce the attack surface, as the exploit requires local network access.
Contact Tenda for a security patch or firmware update to address CVE-2026-5684.

Qualcomm Memory Corruption Vulnerability CVE-2026-21382

hello@craftedsignal.io — Mon, 06 Apr 2026 16:16:31 +0000

CVE-2026-21382 describes a memory corruption vulnerability in Qualcomm products. The vulnerability stems from improper handling of power management requests with inadequately sized input/output buffers, which could lead to a buffer overflow (CWE-120). This vulnerability was reported by Qualcomm, Inc., and assigned a CVSS v3.1 score of 7.8. While the specific affected products are not detailed in the provided source, the advisory indicates it is part of the April 2026 Qualcomm security bulletin. Successful exploitation could lead to arbitrary code execution within the context of the affected power management component. Defenders should monitor for unusual activity related to power management processes and prioritize patching when updates become available.

Attack Chain

An attacker gains local access to a vulnerable Qualcomm device.
The attacker crafts a malicious power management request with an oversized input buffer.
The crafted request is sent to the affected power management component.
The component processes the request without properly validating the buffer size.
Data from the oversized input buffer overflows into adjacent memory regions.
The attacker overwrites critical data structures or executable code within memory.
The system attempts to execute the corrupted code, leading to a crash or arbitrary code execution.
The attacker gains control of the device or escalates privileges.

Impact

Successful exploitation of CVE-2026-21382 could allow an attacker to execute arbitrary code on a vulnerable Qualcomm device. Although the number of affected devices and specific sectors are not specified in the provided source, the impact of successful exploitation includes potential device compromise, data theft, or denial of service. Due to the high CVSS score, unpatched systems are at significant risk.

Recommendation

Monitor process creation events for power management-related processes spawning unexpected child processes, using a rule similar to the example below.
Analyze network connections from power management-related processes for suspicious outbound traffic to unusual ports or IPs.
Investigate any crashes or unexpected reboots on Qualcomm-based devices, correlating them with power management events in system logs.
Monitor for registry modifications made by power management processes, specifically those related to loading custom drivers or libraries.
Review and apply the security updates outlined in the Qualcomm security bulletin for April 2026 to patch CVE-2026-21382 (https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html).

CVE-2025-47389 Memory Corruption Vulnerability in Attestation Report Generation

hello@craftedsignal.io — Mon, 06 Apr 2026 16:16:27 +0000

CVE-2025-47389 details a memory corruption vulnerability affecting attestation report generation. The flaw arises from a buffer copy operation that fails due to an integer overflow. This overflow occurs during the process of calculating the buffer size required for the attestation report, potentially leading to a write beyond the allocated buffer. Successful exploitation could allow an attacker to overwrite adjacent memory regions, potentially leading to arbitrary code execution or a denial-of-service condition. The vulnerability has a CVSS v3.1 base score of 7.8, indicating a high severity. The vulnerability was reported by Qualcomm and affects Qualcomm products that use attestation report generation. Defenders should monitor for unexpected memory access violations related to attestation services.

Attack Chain

Attacker crafts input to trigger attestation report generation.
The system initiates an attestation report generation process.
An integer overflow occurs during the buffer size calculation for the report.
A buffer is allocated based on the incorrect, smaller size resulting from the overflow.
Data is copied into the undersized buffer during the attestation report creation.
The buffer copy operation overwrites memory beyond the allocated buffer’s boundaries.
Corrupted memory leads to a crash or potentially allows for arbitrary code execution.
Attacker gains control of the system or causes a denial-of-service.

Impact

Successful exploitation of CVE-2025-47389 can lead to memory corruption, potentially enabling arbitrary code execution. This can result in a complete compromise of the affected system, data breaches, or a denial-of-service condition. While the specific number of affected devices is unknown, the vulnerability impacts any device using the affected Qualcomm component for attestation. Exploitation is local, requiring privileged access, but the impact is critical due to potential code execution.

Recommendation

Monitor process memory for write operations exceeding allocated buffer sizes, specifically around attestation report generation (see Sigma rule “Detect Memory Corruption via Buffer Overflow”).
Investigate any crashes or unexpected behavior associated with attestation services, as these could be indicators of exploitation attempts.
Apply patches or updates provided by Qualcomm to address CVE-2025-47389 as soon as they become available (reference: https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html).
Monitor for any anomalous behavior originating from processes involved in attestation report generation (see Sigma rule “Detect Anomalous Attestation Process”).
Review and harden access controls to limit the potential impact of local exploitation.

Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 12:00:00 +0000

A critical vulnerability, identified as CVE-2026-5605, affects Tenda CH22 router version 1.0.0.1. This flaw resides in the formWrlExtraSet function within the /goform/WrlExtraSet file. A remote, unauthenticated attacker can exploit a stack-based buffer overflow by sending a crafted HTTP request with a malicious value for the GO argument. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows the attacker to potentially execute arbitrary code on the device, leading to a complete compromise of the router and the network it serves.

Attack Chain

The attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1.
The attacker crafts a malicious HTTP POST request targeting the /goform/WrlExtraSet endpoint.
The crafted request includes the GO argument with a string exceeding the expected buffer size in the formWrlExtraSet function.
The router’s web server receives the request and passes the GO argument to the vulnerable function.
The formWrlExtraSet function attempts to copy the oversized GO argument into a fixed-size buffer on the stack.
This write operation overflows the buffer, overwriting adjacent memory regions, including the return address.
When the formWrlExtraSet function returns, it jumps to the address overwritten by the attacker.
The attacker’s injected code executes with the privileges of the web server process, potentially allowing full control of the device.

Impact

Successful exploitation of CVE-2026-5605 can lead to complete compromise of the Tenda CH22 router. This includes unauthorized access to network traffic, modification of router settings, and the potential for the router to be used as a pivot point for further attacks within the network. Given the ease of exploitation and the public availability of exploits, a large number of devices are potentially at risk, impacting both home and small business users.

Recommendation

Monitor web server logs for POST requests to /goform/WrlExtraSet with unusually long GO parameter values to detect potential exploitation attempts. Use the Sigma rule provided below.
Implement rate limiting on requests to /goform/WrlExtraSet to mitigate brute-force exploitation attempts.
Since there is no patch available, consider replacing affected Tenda CH22 1.0.0.1 routers with devices from vendors with timely security updates.

Belkin F9K1015 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5612)

hello@craftedsignal.io — Mon, 06 Apr 2026 03:16:07 +0000

CVE-2026-5612 is a critical vulnerability affecting Belkin F9K1015 router firmware version 1.00.10. Specifically, a stack-based buffer overflow can be triggered in the formWlEncrypt function located within the /goform/formWlEncrypt file. This vulnerability allows a remote attacker to inject arbitrary code by sending a specially crafted request to the router, manipulating the webpage argument. This exploit has been publicly disclosed, increasing the risk of widespread exploitation. Successful exploitation grants the attacker complete control over the device. The vendor was notified, but no response has been received. Given the ease of remote exploitation and the availability of exploit code, immediate action is required to mitigate the risks.

Attack Chain

The attacker identifies a Belkin F9K1015 router running firmware version 1.00.10.
The attacker crafts a malicious HTTP POST request targeting the /goform/formWlEncrypt endpoint.
The crafted request includes an overly long string in the webpage argument to trigger the buffer overflow.
The router’s webserver processes the request and calls the formWlEncrypt function.
The formWlEncrypt function copies the attacker-controlled webpage argument into a fixed-size buffer on the stack without proper bounds checking.
The overflow overwrites adjacent memory regions on the stack, including the return address.
When the formWlEncrypt function returns, control is transferred to the attacker-controlled address.
The attacker executes arbitrary code, potentially gaining full control over the router and its network.

Impact

Successful exploitation of CVE-2026-5612 can lead to complete compromise of the Belkin F9K1015 router. An attacker can execute arbitrary code, potentially installing malware, intercepting network traffic, or using the router as a pivot point for further attacks within the network. Given that this vulnerability is remotely exploitable and a public exploit is available, any unpatched Belkin F9K1015 device is at high risk. The lack of vendor response increases the risk, placing responsibility on network defenders.

Recommendation

Monitor web server logs for POST requests to /goform/formWlEncrypt with abnormally long webpage parameters to detect potential exploitation attempts. See the provided Sigma rule for an example.
Implement network intrusion detection system (NIDS) rules to identify and block suspicious traffic targeting the /goform/formWlEncrypt endpoint.
Since a public exploit exists, consider blocking all traffic to the /goform/formWlEncrypt endpoint as a temporary mitigation measure until a patch is available.
Unfortunately, since the vendor is non-responsive, end-of-life (EOL) of these devices should be considered.

Belkin F9K1122 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 01:16:40 +0000

A stack-based buffer overflow vulnerability, identified as CVE-2026-5608, affects Belkin F9K1122 router version 1.00.33. The vulnerability resides within the formWlanSetup function of the /goform/formWlanSetup file. A remote attacker can exploit this vulnerability by manipulating the webpage argument, leading to arbitrary code execution on the device. This vulnerability is particularly critical because a public exploit is available, increasing the likelihood of widespread exploitation. The vendor has not responded to disclosure attempts, further compounding the risk. Successful exploitation could compromise the device’s functionality and potentially allow the attacker to gain control of the network.

Attack Chain

The attacker identifies a vulnerable Belkin F9K1122 router running firmware version 1.00.33.
The attacker sends a crafted HTTP request to the /goform/formWlanSetup endpoint.
The HTTP request includes a malicious payload within the webpage argument, designed to overflow the stack buffer.
The formWlanSetup function processes the request without proper bounds checking on the webpage argument.
The overflow overwrites critical data on the stack, including the return address.
Upon function return, control is redirected to the attacker’s injected code.
The attacker’s code executes with the privileges of the web server process.
The attacker gains control of the device and can execute arbitrary commands or modify router settings.

Impact

Successful exploitation of CVE-2026-5608 can lead to complete compromise of the affected Belkin F9K1122 router. An attacker could potentially gain unauthorized access to the network, intercept or modify network traffic, or use the compromised device as a point of entry for further attacks on other devices on the network. Given the availability of a public exploit, a large number of Belkin F9K1122 devices are at risk.

Recommendation

Deploy the Sigma rule Detect Belkin F9K1122 Buffer Overflow Attempt to identify exploitation attempts in web server logs.
Monitor web server logs for suspicious POST requests to /goform/formWlanSetup with unusually long webpage arguments to identify potential exploitation attempts.
Since there is no patch available, network segmentation should be implemented to limit the impact of a compromised device, particularly for vulnerable Belkin F9K1122 routers.

Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 23:16:20 +0000

CVE-2026-5604 details a critical security vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability is a stack-based buffer overflow located in the formCertLocalPrecreate function within the /goform/CertLocalPrecreate file, which handles parameters. Attackers can exploit this flaw by manipulating the standard argument. The vulnerability can be triggered remotely, meaning an attacker does not need local access to the device. Given that a public exploit is available, this vulnerability poses a significant risk to users of the affected Tenda CH22 router. This allows unauthenticated attackers to potentially gain full control of the device.

Attack Chain

An attacker identifies a Tenda CH22 router version 1.0.0.1 exposed to the internet.
The attacker crafts a malicious HTTP request targeting the /goform/CertLocalPrecreate endpoint.
The attacker includes an overly long string as the value for the standard parameter in the HTTP request.
The Tenda CH22 router receives the malicious request and passes the standard parameter to the formCertLocalPrecreate function.
The formCertLocalPrecreate function copies the oversized standard argument into a fixed-size buffer on the stack without proper bounds checking.
This causes a stack-based buffer overflow, overwriting adjacent memory regions, including the return address of the function.
The attacker controls the overwritten return address to point to attacker-controlled code injected into memory, or to a Return-Oriented Programming (ROP) chain.
Upon function return, execution is redirected to the attacker’s code, allowing them to execute arbitrary commands on the router.

Impact

Successful exploitation of CVE-2026-5604 allows a remote, unauthenticated attacker to execute arbitrary code on the Tenda CH22 router. This could lead to a complete compromise of the device, allowing the attacker to gain control over network traffic, modify router settings, or use the device as part of a botnet. Given the wide deployment of Tenda routers, a large number of devices could be vulnerable, making this a high-impact vulnerability.

Recommendation

Monitor web server logs for requests to /goform/CertLocalPrecreate with unusually long standard parameters to identify potential exploit attempts (see rule: “Detect Tenda CH22 Buffer Overflow Attempt via Long Standard Parameter”).
Implement rate limiting on the /goform/CertLocalPrecreate endpoint to mitigate brute-force exploitation attempts.
Apply any available firmware updates from Tenda to patch CVE-2026-5604.
Deploy the Sigma rule “Detect Tenda CH22 Router POST Request to CertLocalPrecreate” to identify suspicious POST requests to the affected endpoint and tune for your environment.

RealTerm Serial Terminal SEH Buffer Overflow Vulnerability (CVE-2019-25679)

hello@craftedsignal.io — Sun, 05 Apr 2026 21:16:46 +0000

RealTerm Serial Terminal version 2.0.0.70 is vulnerable to a structured exception handling (SEH) buffer overflow in the Echo Port tab. This vulnerability, identified as CVE-2019-25679, allows a local attacker to execute arbitrary code on a vulnerable system. The attack requires the user to be running the RealTerm application. The attacker must craft a malicious payload containing shellcode and a POP POP RET gadget chain and paste it into the Port field within the Echo Port tab. Subsequently, the attacker needs to induce the user to click the “Change” button, triggering the buffer overflow and allowing arbitrary code execution within the context of the RealTerm application. This poses a significant risk, particularly in environments where RealTerm is used for debugging or serial communication.

Attack Chain

The attacker identifies a vulnerable RealTerm Serial Terminal 2.0.0.70 installation.
The attacker crafts a malicious payload containing shellcode and a POP POP RET gadget chain.
The attacker gains local access to the target system.
The attacker opens the RealTerm application and navigates to the Echo Port tab.
The attacker pastes the malicious payload into the Port field.
The attacker induces the user to click the “Change” button.
The buffer overflow occurs, overwriting the SEH handler.
The POP POP RET gadget chain is executed, redirecting control to the attacker’s shellcode, resulting in arbitrary code execution.

Impact

Successful exploitation of this vulnerability (CVE-2019-25679) allows a local attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. Although specific victim counts and targeted sectors are not available, the widespread use of RealTerm in technical environments makes this a potentially significant threat.

Recommendation

Deploy the “RealTerm SEH Overflow Attempt” Sigma rule to detect suspicious process creation following the execution of RealTerm with a long string supplied as an argument.
Monitor process creations where the parent process name is Realterm.exe using the “RealTerm Suspicious Child Process” Sigma rule.
Although not directly available, consider network monitoring to detect anomalies should the attacker install malware after successful exploitation.

River Past Video Cleaner 7.6.3 SEH Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 21:16:44 +0000

River Past Video Cleaner version 7.6.3 is vulnerable to a structured exception handler (SEH) buffer overflow. This vulnerability allows a local attacker to execute arbitrary code on a vulnerable system. The attack involves crafting a malicious input string specifically designed to exploit the way the application handles exceptions related to the Lame_enc.dll library. This vulnerability can be exploited by an unauthenticated, local attacker. A successful exploit results in arbitrary code execution in the context of the application. Defenders should implement detection measures to identify malicious processes spawned by River Past Video Cleaner, or unexpected registry modifications.

Attack Chain

A local attacker crafts a malicious input file designed to trigger the buffer overflow.
The attacker places the crafted malicious file in a location accessible to River Past Video Cleaner.
The attacker executes River Past Video Cleaner and instructs it to process the malicious file.
River Past Video Cleaner attempts to load or process the Lame_enc.dll library.
Due to the malicious input, a buffer overflow occurs within the structured exception handler of Lame_enc.dll. This overflow overwrites the saved SEH record on the stack.
When an exception is triggered (as a result of the overflow), the overwritten SEH record is used.
The overwritten SEH record redirects execution to attacker-controlled shellcode.
The attacker’s shellcode executes, potentially granting the attacker arbitrary code execution within the context of the River Past Video Cleaner process.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code on the victim’s machine. This could lead to complete system compromise, data theft, or installation of malware. The vulnerability is specific to River Past Video Cleaner 7.6.3. While specific victim counts are unavailable, the potential impact on any system running the vulnerable software is significant.

Recommendation

Monitor process creations where the parent process is RiverPastVideoCleaner.exe, and the child process is unusual or suspicious (e.g., cmd.exe, powershell.exe) using process creation logs (logsource: process_creation). Deploy the Sigma rule provided to detect potentially malicious child processes.
Implement application control policies to prevent the execution of unsigned or untrusted executables in directories associated with River Past Video Cleaner.
Monitor for unexpected registry modifications performed by RiverPastVideoCleaner.exe (logsource: registry_set). The provided Sigma rule detects potentially malicious registry modifications.

R i386 3.5.0 Local Buffer Overflow Vulnerability (CVE-2019-25656)

hello@craftedsignal.io — Sun, 05 Apr 2026 21:16:42 +0000

R i386 version 3.5.0 contains a local buffer overflow vulnerability, identified as CVE-2019-25656, within the GUI Preferences dialog. This vulnerability allows a local attacker to achieve arbitrary code execution by exploiting a buffer overflow when the application processes user-supplied input in the ‘Language for menus and messages’ field. By crafting a malicious payload string, an attacker can overwrite the Structured Exception Handler (SEH) records. Successful exploitation would allow attackers to execute arbitrary code with the privileges of the user running the application. This poses a significant risk to systems running this vulnerable version of R, potentially leading to complete system compromise.

Attack Chain

Attacker gains local access to a Windows system running R i386 3.5.0.
Attacker opens the R application.
Attacker navigates to the GUI Preferences dialog within the R application.
Attacker identifies the ‘Language for menus and messages’ field within the GUI Preferences.
Attacker crafts a malicious payload string designed to overwrite SEH records, including shellcode for arbitrary code execution.
Attacker inputs the malicious string into the ‘Language for menus and messages’ field.
The R application attempts to process the attacker-supplied string without proper bounds checking, triggering the buffer overflow.
The crafted payload overwrites the SEH record, redirecting execution flow to the attacker-controlled shellcode, resulting in arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code on the targeted system. The impact includes potential privilege escalation, allowing the attacker to perform actions with the same privileges as the user running the R application. This could lead to the installation of malware, data exfiltration, or complete system compromise. While specific victim numbers are not available, any system running the vulnerable R i386 3.5.0 is at risk.

Recommendation

Upgrade R to a version higher than 3.5.0 to patch CVE-2019-25656.
Deploy the Sigma rule to detect the execution of R with a modified command line containing long strings to identify potential exploit attempts.
Monitor network connections originating from R processes for suspicious outbound traffic using network connection logs.
Implement the Sigma rule to detect abnormal process execution originating from the R application to catch potential exploitation attempts.

Tenda M3 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 13:17:14 +0000

A critical buffer overflow vulnerability has been identified in Tenda M3 router version 1.0.0.10. The vulnerability resides in the setAdvPolicyData function within the /goform/setAdvPolicyData file, a part of the Destination Handler component. By manipulating the policyType argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations utilizing the affected Tenda M3 router, potentially allowing attackers to gain unauthorized access to the network or disrupt services.

Attack Chain

Attacker identifies a vulnerable Tenda M3 router exposed to the internet or reachable from their network position.
Attacker sends a crafted HTTP POST request to /goform/setAdvPolicyData.
The POST request includes a malicious policyType argument designed to overflow the buffer in the setAdvPolicyData function.
The setAdvPolicyData function in /goform/setAdvPolicyData processes the policyType argument without proper bounds checking.
The excessive data provided in the policyType argument overwrites adjacent memory regions.
The attacker carefully crafts the overflow to overwrite critical data or inject malicious code into the process’s memory space.
The injected code is executed, giving the attacker control over the router.
The attacker can then use the compromised router as a foothold to pivot to other devices on the network, exfiltrate sensitive data, or cause denial of service.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda M3 router. This could lead to a complete compromise of the device, allowing the attacker to control network traffic, access sensitive information, or use the router as a launchpad for further attacks within the network. Given the severity and the existence of public exploits, vulnerable routers are at high risk of being targeted.

Recommendation

Apply any available firmware updates from Tenda to patch CVE-2026-5567.
Monitor web server logs for suspicious POST requests to /goform/setAdvPolicyData with unusually long policyType arguments; deploy the Sigma rule Detect Suspicious PolicyType Argument Length to identify this activity.
Implement network segmentation to limit the potential impact of a compromised router.
Consider using a web application firewall (WAF) to filter malicious requests targeting the affected endpoint.
Review and restrict access to the router’s management interface to authorized personnel only.

Tenda AC10 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 08:16:25 +0000

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-5550, exists in Tenda AC10 router firmware version 16.03.10.10_multi_TDE01. The vulnerability is located in the fromSysToolChangePwd function within the /bin/httpd binary. A remote attacker can exploit this flaw to overwrite the stack and potentially execute arbitrary code on the affected device. This is achieved by sending a specially crafted request to the device. Successful exploitation could lead to complete system compromise, allowing attackers to gain unauthorized access, control the device, or use it as a foothold for further network intrusion. Given the widespread use of Tenda routers, this vulnerability poses a significant risk to home and small business networks.

Attack Chain

The attacker identifies a Tenda AC10 router running firmware version 16.03.10.10_multi_TDE01.
The attacker crafts a malicious HTTP request targeting the /bin/httpd endpoint.
The malicious request is designed to overflow the buffer in the fromSysToolChangePwd function when processing the request parameters.
The overflow overwrites the stack with attacker-controlled data, including the return address.
The httpd process attempts to return from the fromSysToolChangePwd function.
Due to the overwritten return address, execution is redirected to the attacker’s code.
The attacker’s code executes with the privileges of the httpd process.
The attacker gains control of the device and can perform arbitrary actions, such as modifying router settings, executing commands, or establishing a backdoor.

Impact

Successful exploitation of CVE-2026-5550 allows a remote attacker to gain complete control of the affected Tenda AC10 router. This can lead to data breaches, denial-of-service attacks, or the router being used as part of a botnet. Given the potential for widespread exploitation and the ease with which the vulnerability can be triggered, CVE-2026-5550 poses a high risk to users of the affected Tenda AC10 router model. The attacker could potentially monitor all network traffic passing through the device, steal sensitive information, or use the compromised device to launch attacks against other systems on the network or the internet.

Recommendation

Monitor web server logs for suspicious POST requests to /bin/httpd with abnormally large parameter values that could indicate a buffer overflow attempt targeting the fromSysToolChangePwd function to trigger the vulnerability (see the related Sigma rule below).
Since a patch is not mentioned, consider replacing the affected Tenda AC10 device or isolating it from critical network segments if immediate replacement is not feasible.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Snes9K 0.0.9z Buffer Overflow Vulnerability (CVE-2018-25251)

hello@craftedsignal.io — Sat, 04 Apr 2026 14:16:21 +0000

Snes9K version 0.0.9z contains a buffer overflow vulnerability (CVE-2018-25251) within the Netplay functionality. Specifically, the application fails to properly validate the size of user-supplied input for the “Netplay Socket Port Number” field. By exploiting this vulnerability, a local attacker can overwrite the Structured Exception Handler (SEH) chain. Successful exploitation allows an attacker to execute arbitrary code within the context of the running Snes9K application, potentially leading to complete system compromise. The vulnerability resides within the Netplay Options menu, accessible from the Snes9K interface.

Attack Chain

The attacker gains local access to a system with Snes9K 0.0.9z installed.
The attacker opens the Snes9K application.
The attacker navigates to the “Netplay Options” menu within the application.
The attacker locates the “Netplay Socket Port Number” field.
The attacker crafts a malicious payload designed to overwrite the SEH chain. This payload includes the address of the attacker’s shellcode.
The attacker pastes the malicious payload into the “Netplay Socket Port Number” field, exceeding the expected buffer size.
The application attempts to handle the overflow, triggering the SEH.
The SEH is overwritten by the attacker’s payload, redirecting execution to the attacker’s shellcode. This results in arbitrary code execution.

Impact

Successful exploitation of this buffer overflow vulnerability allows a local attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, installation of malware, and further lateral movement within the network. While the vulnerability requires local access, it could be leveraged as part of a more complex attack chain, for example, after initial access is gained through a separate vulnerability or social engineering.

Recommendation

Monitor for the execution of Snes9K followed by unusual process creation, using the process_creation Sigma rule provided below.
Monitor for applications writing to Snes9K configuration files followed by the execution of Snes9K, using the file_event and process_creation Sigma rules provided below.
Consider removing the vulnerable software from systems or restricting access to it until a patched version is available.

V-SFT Stack-Based Buffer Overflow Vulnerability (CVE-2026-32928)

hello@craftedsignal.io — Wed, 01 Apr 2026 23:17:03 +0000

V-SFT versions 6.2.10.0 and earlier are vulnerable to a stack-based buffer overflow (CVE-2026-32928) located in the VS6ComFile!CSaveData::_conv_AnimationItem function. This vulnerability is triggered when the software processes a specially crafted V7 file. Successful exploitation of this vulnerability can lead to arbitrary code execution within the context of the application. Given the potential for complete system compromise, organizations using affected versions of V-SFT should take immediate steps to mitigate this risk. This vulnerability was reported by JPCERT/CC.

Attack Chain

Attacker identifies a target using a vulnerable version of V-SFT (<= 6.2.10.0).
Attacker crafts a malicious V7 file designed to trigger the buffer overflow in the VS6ComFile!CSaveData::_conv_AnimationItem function.
The attacker delivers the malicious V7 file to the target, potentially through social engineering or other means.
The target user opens the malicious V7 file using the vulnerable V-SFT software.
The VS6ComFile!CSaveData::_conv_AnimationItem function processes the V7 file, copying data into a fixed-size buffer on the stack.
The crafted V7 file contains data exceeding the buffer’s capacity, causing a buffer overflow.
The overflow overwrites adjacent stack memory, including the return address.
When the _conv_AnimationItem function returns, execution is redirected to an attacker-controlled address, allowing arbitrary code execution.

Impact

Successful exploitation of CVE-2026-32928 allows an attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, data theft, or denial of service. The vulnerability affects any system running V-SFT versions 6.2.10.0 and prior. The severity is rated as high with a CVSS v3.1 score of 7.8.

Recommendation

Apply the patch or upgrade to a non-vulnerable version of V-SFT (later than 6.2.10.0) as provided by the vendor.
Monitor process creation events for V-SFT processes spawning child processes or executing unusual commands, using the provided Sigma rule.
Implement file integrity monitoring for the V-SFT executable and associated libraries to detect unauthorized modifications.
Educate users about the risks of opening files from untrusted sources to mitigate social engineering attacks.

Mbed TLS FFDH Public Key Export Buffer Overflow

hello@craftedsignal.io — Wed, 01 Apr 2026 18:16:31 +0000

A critical buffer overflow vulnerability has been identified in Mbed TLS, a widely used open-source cryptographic library. Specifically, CVE-2026-34875 affects Mbed TLS versions up to 3.6.5 and TF-PSA-Crypto 1.0.0. The vulnerability is triggered during the export of public keys associated with Finite Field Diffie-Hellman (FFDH) algorithms. This flaw can be exploited by an attacker to overwrite memory buffers, potentially leading to arbitrary code execution or a denial-of-service condition. Given the prevalence of Mbed TLS in embedded systems and other security-sensitive applications, this vulnerability poses a significant risk to a wide range of devices and services. Defenders should prioritize patching and mitigation efforts to prevent potential exploitation. The vulnerability was published on 2026-04-01.

Attack Chain

Attacker identifies a system using a vulnerable version of Mbed TLS (<= 3.6.5) or TF-PSA-Crypto (1.0.0).
Attacker crafts a malicious request that triggers the FFDH public key export function.
The vulnerable function fails to properly validate the size of the buffer used to store the exported public key.
The application attempts to copy the public key data into the undersized buffer.
A buffer overflow occurs, overwriting adjacent memory regions.
The attacker gains control of program execution by overwriting critical data structures or function pointers.
The attacker executes arbitrary code on the target system.
The attacker achieves their final objective, such as gaining unauthorized access, stealing sensitive data, or causing a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-34875 can lead to a variety of severe consequences. The most critical outcome is arbitrary code execution, allowing attackers to gain complete control over the affected system. This could result in the theft of sensitive data, installation of malware, or disruption of critical services. Even without achieving code execution, the buffer overflow can cause a denial-of-service condition, rendering the system unusable. The wide adoption of Mbed TLS means that this vulnerability has the potential to impact numerous devices and applications across various sectors.

Recommendation

Upgrade Mbed TLS to a patched version (later than 3.6.5) or TF-PSA-Crypto to a version that includes the fix for CVE-2026-34875.
Apply input validation to any data that is used in the FFDH public key export functionality as a short-term workaround.
Deploy the provided Sigma rule Detect_MbedTLS_FFDH_Public_Key_Export to identify potential exploitation attempts by monitoring process memory writes in Mbed TLS processes.
Monitor web server logs for anomalies in requests related to TLS key exchange, in combination with MbedTLS to catch abnormal activity.

Tenda CH22 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5204)

hello@craftedsignal.io — Tue, 31 Mar 2026 16:16:35 +0000

CVE-2026-5204 describes a critical stack-based buffer overflow vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability resides within the formWebTypeLibrary function in the /goform/webtypelibrary file, which handles web-based parameter input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the router, manipulating the webSiteId argument to overwrite the stack buffer. This allows for arbitrary code execution on the device. Given the router’s role as a network gateway, successful exploitation can lead to complete compromise of the device and potentially the entire network behind it. The availability of a public exploit increases the risk of widespread exploitation.

Attack Chain

The attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1.
The attacker crafts a malicious HTTP POST request targeting the /goform/webtypelibrary endpoint.
The crafted request includes the webSiteId parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow in the formWebTypeLibrary function.
The overflow overwrites critical data on the stack, including the return address.
The overwritten return address is replaced with the address of malicious code injected into the payload or a pre-existing code location within the router’s firmware (Return-Oriented Programming - ROP).
The formWebTypeLibrary function returns, transferring control to the attacker-controlled code.
The attacker’s code executes, granting the attacker control over the device.
The attacker can then use this control to further compromise the network or disrupt services.

Impact

Successful exploitation of CVE-2026-5204 allows a remote attacker to execute arbitrary code on the vulnerable Tenda CH22 router. This can lead to complete control of the device, enabling the attacker to intercept network traffic, modify DNS settings, create VPNs, or launch further attacks on devices within the network. Given that routers are essential network devices, a successful attack can have a significant impact, affecting all connected devices and potentially exposing sensitive data.

Recommendation

Apply available firmware updates for Tenda CH22 routers immediately to patch CVE-2026-5204.
Deploy the Sigma rule Tenda-CH22-WebSiteId-Buffer-Overflow to detect exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for suspicious POST requests to /goform/webtypelibrary with unusually long webSiteId parameters, as indicated by WebSiteId_Length_Detection Sigma rule.
Implement network segmentation to limit the impact of a potential router compromise.

Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 31 Mar 2026 00:16:15 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda CH22 router version 1.0.0.1. The vulnerability resides within the formQuickIndex function of the /goform/QuickIndex file, which is a component of the Parameter Handler. This flaw can be triggered by manipulating the mit_linktype argument, leading to a buffer overflow on the stack. The vulnerability is remotely exploitable, meaning an attacker can trigger the flaw over the network without needing local access to the device. The existence of a public exploit further increases the risk of potential exploitation by malicious actors. Successful exploitation could allow an attacker to execute arbitrary code on the device.

Attack Chain

An attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1 exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/QuickIndex endpoint.
The malicious request includes the mit_linktype argument with a payload exceeding the expected buffer size.
The Tenda CH22 router processes the HTTP request and passes the mit_linktype argument to the formQuickIndex function.
The formQuickIndex function copies the attacker-controlled mit_linktype data into a fixed-size buffer on the stack without proper bounds checking.
Due to the oversized payload, the copy operation overflows the buffer, overwriting adjacent memory on the stack, including the return address.
The formQuickIndex function completes and attempts to return to the caller function.
Due to the overwritten return address, control is redirected to attacker-controlled code, enabling arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Tenda CH22 router. This can lead to a variety of malicious outcomes, including complete device compromise, denial of service, and the potential to use the router as a launchpad for further attacks on the local network or the internet. Given that routers are often used in both home and small business environments, a successful attack could affect a wide range of users and organizations.

Recommendation

Monitor web server logs for POST requests to /goform/QuickIndex with unusually long mit_linktype parameters to detect potential exploitation attempts. Implement the Sigma rule Detect Tenda CH22 mit_linktype Buffer Overflow Attempt against web server logs.
Implement rate limiting on the /goform/QuickIndex endpoint to mitigate potential denial-of-service attacks stemming from exploitation.
Since the source material identifies CWE-119 and CWE-121 as root causes, review code practices related to buffer handling and implement stricter input validation procedures.

Tenda CH22 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 30 Mar 2026 23:17:04 +0000

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-5154, has been discovered in Tenda CH22 firmware version 1.0.0.1/1.If. The vulnerability resides within the fromSetCfm function in the /goform/setcfm file, a component of the Parameter Handler. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected Tenda CH22 devices, potentially leading to complete system compromise.

Attack Chain

Attacker identifies a Tenda CH22 device running firmware version 1.0.0.1/1.If.
The attacker crafts a malicious HTTP POST request targeting the /goform/setcfm endpoint.
The request includes the funcname argument containing a string exceeding the buffer size allocated to it.
The fromSetCfm function processes the malicious funcname argument without proper bounds checking.
The oversized funcname value overflows the stack buffer, overwriting adjacent memory regions.
The attacker overwrites the return address on the stack with an address pointing to malicious code or a ROP chain.
The fromSetCfm function returns, causing execution to jump to the attacker-controlled address.
The attacker gains arbitrary code execution on the device, potentially leading to full system compromise.

Impact

Successful exploitation of this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected Tenda CH22 device. This can result in complete device compromise, allowing the attacker to control the device, steal sensitive information, or use the device as a foothold for further attacks on the network. Given the availability of public exploits, a large number of devices could be compromised if left unpatched.

Recommendation

Monitor web server logs for suspicious POST requests to /goform/setcfm with unusually long funcname parameters, using the provided Sigma rule.
Implement rate limiting on requests to /goform/setcfm to mitigate potential brute-force exploitation attempts.
Apply any available patches or firmware updates from Tenda to address CVE-2026-5154.

Tenda FH1201 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5046)

hello@craftedsignal.io — Sun, 29 Mar 2026 15:16:36 +0000

CVE-2026-5046 is a stack-based buffer overflow vulnerability affecting Tenda FH1201 routers running firmware version 1.2.0.14(408). The vulnerability resides within the formWrlExtraSet function of the /goform/WrlExtraSet component, specifically in the handling of the GO argument. A remote attacker can exploit this flaw by sending a crafted HTTP request with a maliciously oversized GO parameter, overwriting the stack and potentially gaining arbitrary code execution on the device. The…

Belkin F9K1122 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 29 Mar 2026 13:17:03 +0000

A critical security vulnerability, CVE-2026-5044, has been identified in Belkin F9K1122 router version 1.00.33. The vulnerability resides within the formSetSystemSettings function of the /goform/formSetSystemSettings file, which is part of the Setting Handler component. Successful exploitation allows a remote attacker to trigger a stack-based buffer overflow by manipulating the webpage argument. This could result in arbitrary code execution on the device. Publicly available exploit code…

Belkin F9K1122 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 29 Mar 2026 11:16:34 +0000

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-5042, has been discovered in Belkin F9K1122 routers running firmware version 1.00.33. The vulnerability resides within the formCrossBandSwitch function of the /goform/formCrossBandSwitch file, a component of the Parameter Handler. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread…

Tenda 4G06 Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-5036)

hello@craftedsignal.io — Sun, 29 Mar 2026 08:15:56 +0000

A stack-based buffer overflow vulnerability, identified as CVE-2026-5036, affects the Tenda 4G06 router, specifically version 04.06.01.29. The vulnerability resides in the fromDhcpListClient function within the /goform/DhcpListClient endpoint. A remote attacker can exploit this by crafting a malicious request that manipulates the page argument, leading to a buffer overflow on the stack. This could allow the attacker to potentially execute arbitrary code on the device. Given the…

Tenda F453 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5021)

hello@craftedsignal.io — Sun, 29 Mar 2026 02:16:17 +0000

A stack-based buffer overflow vulnerability, identified as CVE-2026-5021, has been discovered in Tenda F453 router version 1.0.0.3. This vulnerability resides within the fromPPTPUserSetting function of the /goform/PPTPUserSetting component, specifically in the httpd process. The vulnerability can be triggered by manipulating the delno argument. Successful exploitation allows remote attackers to potentially execute arbitrary code on the affected device. Publicly available exploit code…

Wavlink WL-WN579X3-C Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 29 Mar 2026 00:00:00 +0000

A critical vulnerability, identified as CVE-2026-5004, affects the Wavlink WL-WN579X3-C 231124 router. The vulnerability lies within the UPNP Handler component, specifically the /cgi-bin/firewall.cgi file’s sub_4019FC function. By manipulating the UpnpEnabled argument, a remote attacker can trigger a stack-based buffer overflow. This can lead to arbitrary code execution on the device. Public exploits for this vulnerability are available, increasing the risk of widespread exploitation. Despite responsible disclosure attempts, the vendor has not provided a patch or response, leaving users vulnerable. This is a significant concern for network security, especially for devices exposed to the internet.

Attack Chain

The attacker identifies a vulnerable Wavlink WL-WN579X3-C 231124 router exposed to the internet.
The attacker crafts a malicious HTTP request targeting /cgi-bin/firewall.cgi.
The HTTP request includes a manipulated UpnpEnabled argument designed to overflow the buffer in the sub_4019FC function.
The vulnerable sub_4019FC function processes the UpnpEnabled argument without proper bounds checking.
The buffer overflow occurs, overwriting adjacent memory on the stack, including the return address.
The overwritten return address points to attacker-controlled code.
Upon function return, execution jumps to the attacker-controlled code, allowing arbitrary commands to be executed.
The attacker gains remote code execution, potentially allowing complete control of the device, including network access and data exfiltration.

Impact

Successful exploitation of CVE-2026-5004 allows a remote attacker to execute arbitrary code on the vulnerable Wavlink WL-WN579X3-C 231124 router. This could lead to complete device compromise, including unauthorized network access, data exfiltration, and the potential use of the router as a botnet node. Given the availability of public exploits, a widespread exploitation is possible, affecting potentially thousands of devices. The lack of vendor response exacerbates the risk, as no official patch is available.

Recommendation

Deploy the Sigma rule Detect Suspicious Firewall CGI Requests to your SIEM and tune for your environment to identify potential exploitation attempts targeting the /cgi-bin/firewall.cgi endpoint.
Deploy the Sigma rule Detect UPNP Enabled Overflow to detect possible overflows.
Monitor web server logs for requests to /cgi-bin/firewall.cgi with unusually long UpnpEnabled parameters.
If possible, isolate Wavlink WL-WN579X3-C 231124 routers from direct internet exposure until a patch is available.

Crashmail 1.6 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sat, 28 Mar 2026 12:16:03 +0000

Crashmail 1.6 is susceptible to a stack-based buffer overflow vulnerability (CVE-2018-25223) that allows remote attackers to execute arbitrary code. This vulnerability is triggered when the application receives specially crafted input designed to overwrite the stack. Attackers can leverage Return-Oriented Programming (ROP) chains to achieve code execution within the context of the application. Failed exploitation attempts may result in a denial-of-service condition, impacting application availability. Given the network-accessible nature of the vulnerability and the potential for arbitrary code execution, it poses a significant risk to systems running Crashmail 1.6.

Attack Chain

The attacker identifies a vulnerable Crashmail 1.6 server exposed to the network.
The attacker crafts a malicious input specifically designed to exploit the stack-based buffer overflow vulnerability (CVE-2018-25223). This input includes shellcode or a ROP chain.
The attacker sends the malicious input to the Crashmail application via a network connection.
The application processes the malicious input, triggering the buffer overflow when copying the input data to a fixed-size buffer on the stack.
The overflow overwrites critical stack data, including the return address of the current function.
Upon function return, control is redirected to the attacker-controlled address, initiating the execution of the injected shellcode or ROP chain.
The shellcode or ROP chain executes arbitrary commands, potentially including installing malware, creating new user accounts, or exfiltrating sensitive data.
If the exploit fails, the application may crash, resulting in a denial-of-service condition.

Impact

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, malware installation, and denial of service. Given the critical CVSS score of 9.8, organizations running vulnerable versions of Crashmail are at high risk. The number of potential victims is dependent on the number of Crashmail 1.6 installations exposed to network traffic.

Recommendation

Apply available patches or upgrades to mitigate CVE-2018-25223 in Crashmail 1.6.
Monitor network traffic for suspicious patterns indicative of exploit attempts targeting Crashmail, using the process_creation Sigma rule below to detect unexpected processes.
Implement network segmentation to limit the potential impact of a successful exploit.
Deploy the provided Sigma rule to detect potential exploitation attempts by monitoring process creations spawned from the crashmail process.

SC v7.16 Stack-Based Buffer Overflow Vulnerability (CVE-2018-25222)

hello@craftedsignal.io — Sat, 28 Mar 2026 12:16:02 +0000

SC v7.16 is susceptible to a stack-based buffer overflow vulnerability, identified as CVE-2018-25222. This flaw enables local attackers to execute arbitrary code by crafting malicious input that exceeds buffer boundaries. Specifically, providing an input string longer than 1052 bytes can overwrite the instruction pointer, enabling the execution of attacker-controlled shellcode within the application’s context. This vulnerability poses a significant threat to systems running the affected version…

Flat Assembler Stack-Based Buffer Overflow Vulnerability (CVE-2017-20228)

hello@craftedsignal.io — Sat, 28 Mar 2026 12:16:02 +0000

The Flat Assembler (FASM) version 1.71.21 is vulnerable to a stack-based buffer overflow (CVE-2017-20228). This vulnerability allows a local attacker to execute arbitrary code on a vulnerable system. The attack requires the attacker to supply a specially crafted assembly file as input to FASM. By providing an input file larger than 5895 bytes, the attacker can overwrite the instruction pointer, leading to arbitrary code execution. This is achieved through return-oriented programming (ROP)…

EChat Server 3.1 Buffer Overflow Vulnerability in chat.ghp Endpoint

hello@craftedsignal.io — Sat, 28 Mar 2026 12:16:02 +0000

EChat Server 3.1 is susceptible to a critical buffer overflow vulnerability (CVE-2018-25221) located in the chat.ghp endpoint. This flaw allows an unauthenticated remote attacker to execute arbitrary code within the context of the application. The attack is achieved by sending a specially crafted HTTP GET request to the vulnerable endpoint, including an oversized username parameter. The excessive length of the username causes a buffer overflow, enabling the attacker to inject and execute malicious shellcode and ROP gadgets. Successful exploitation grants the attacker complete control over the targeted EChat Server instance. This vulnerability poses a significant risk to organizations using the affected EChat Server version, potentially leading to data breaches, system compromise, and service disruption.

Attack Chain

The attacker identifies an EChat Server 3.1 instance.
The attacker crafts a malicious HTTP GET request targeting the chat.ghp endpoint.
The GET request includes a username parameter with a value exceeding the expected buffer size.
The oversized username value contains shellcode designed for arbitrary code execution.
The chat.ghp endpoint processes the GET request without proper bounds checking on the username parameter.
The excessive username data overwrites adjacent memory regions, including return addresses on the stack.
The overwritten return addresses are manipulated to point to ROP gadgets and the injected shellcode.
Upon returning from the chat.ghp handler, the hijacked execution flow executes the attacker’s shellcode, granting them control of the server.

Impact

Successful exploitation of the buffer overflow vulnerability (CVE-2018-25221) in EChat Server 3.1 enables remote attackers to execute arbitrary code on the affected server. This can lead to complete system compromise, including the ability to install malware, steal sensitive data, or disrupt services. Given the severity and ease of exploitation, any organization running EChat Server 3.1 is at high risk.

Recommendation

Apply appropriate input validation and sanitization to the username parameter in chat.ghp to prevent buffer overflows (reference CVE-2018-25221).
Monitor web server logs for unusually long GET requests targeting the chat.ghp endpoint as identified in the attack chain (see rule: “Detect Suspiciously Long GET Requests to chat.ghp”).
Implement runtime protection mechanisms to detect and prevent shellcode execution, mitigating successful exploitation attempts.
Deploy the Sigma rules provided in this brief to detect exploitation attempts in your environment.

PInfo 0.6.9-5.1 Local Buffer Overflow Vulnerability

hello@craftedsignal.io — Sat, 28 Mar 2026 12:16:00 +0000

PInfo 0.6.9-5.1 contains a critical local buffer overflow vulnerability (CVE-2016-20044) that allows a malicious local attacker to execute arbitrary code. This vulnerability stems from the application’s insufficient input validation when handling the ‘-m’ parameter. By exploiting this flaw, an attacker can overwrite the instruction pointer and gain unauthorized access. This can potentially lead to full system compromise. The attacker crafts a malicious input string with 564 bytes of padding followed by a return address.

Attack Chain

The attacker gains local access to the vulnerable system.
The attacker identifies the PInfo binary (likely located in /usr/bin or /usr/local/bin).
The attacker crafts a malicious input string exceeding the buffer size allocated for the ‘-m’ parameter. This malicious string includes 564 bytes of padding.
The attacker appends a return address to the malicious string, pointing to a memory location containing the attacker’s shellcode.
The attacker executes the PInfo binary with the crafted malicious input as an argument to the ‘-m’ parameter. pinfo -m "A"*564 + .
The buffer overflow occurs, overwriting the return address on the stack.
When the PInfo function returns, it jumps to the attacker-controlled address, executing the shellcode.
The attacker’s shellcode executes with the privileges of the user running PInfo. This can lead to privilege escalation if PInfo is run by a privileged user or via setuid.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the user running the vulnerable PInfo application. This could lead to sensitive data disclosure, unauthorized modification of system files, or complete system compromise. While the exact number of affected systems is unknown, any system running PInfo 0.6.9-5.1 is potentially vulnerable.

Recommendation

Apply available patches or upgrade to a version of PInfo that addresses CVE-2016-20044.
Monitor process creation events for executions of pinfo with unusually long arguments to the -m parameter, using the Sigma rule provided.
Implement strict input validation for all command-line arguments in applications to prevent buffer overflows.

yTree Stack-Based Buffer Overflow Vulnerability (CVE-2016-20038)

hello@craftedsignal.io — Sat, 28 Mar 2026 12:15:59 +0000

yTree versions 1.94 to 1.1 are susceptible to a stack-based buffer overflow vulnerability (CVE-2016-20038). A local attacker can exploit this flaw by providing an overly long command-line argument to the application. The vulnerability allows the attacker to overwrite the stack memory, inject and execute arbitrary code within the context of the yTree application. This could lead to a full system compromise if the attacker gains sufficient privileges. This vulnerability has been publicly known…

TiEmu 3.03 Buffer Overflow Vulnerability (CVE-2016-20040)

hello@craftedsignal.io — Sat, 28 Mar 2026 12:15:59 +0000

TiEmu, a Texas Instruments (TI) calculator emulator, version 3.03-nogdb+dfsg-3, is susceptible to a buffer overflow vulnerability (CVE-2016-20040). This flaw resides within the handling of ROM parameters passed via the command-line interface. An unauthenticated, local attacker can exploit this vulnerability by supplying an oversized ROM parameter. Successful exploitation allows the attacker to crash the application, potentially leading to a denial of service, or, more seriously, execute…

Multi Emulator Super System (MESS) Buffer Overflow Vulnerability (CVE-2016-20039)

hello@craftedsignal.io — Sat, 28 Mar 2026 12:15:59 +0000

Multi Emulator Super System (MESS) version 0.154-3.1 is susceptible to a buffer overflow vulnerability, identified as CVE-2016-20039. This flaw resides in the handling of the “gamma” parameter. A local attacker can exploit this vulnerability by providing an overly large value for the gamma parameter. Successful exploitation allows the attacker to overwrite the stack buffer, potentially leading to arbitrary code execution and complete system compromise. This vulnerability was reported in March…

xwpe Stack-Based Buffer Overflow Vulnerability (CVE-2016-20037)

hello@craftedsignal.io — Sat, 28 Mar 2026 12:15:58 +0000

The xwpe application, version 1.5.30a-2.1 and prior, contains a stack-based buffer overflow vulnerability (CVE-2016-20037). This vulnerability allows a local attacker to execute arbitrary code or cause a denial of service. The attack involves crafting a malicious command-line argument with an input string exceeding buffer boundaries. Specifically, the attacker can supply 262 bytes of junk data, followed by shellcode, to overwrite the instruction pointer and gain control of the application’s…

Tenda AC15 Stack-Based Buffer Overflow Vulnerability (CVE-2026-4975)

hello@craftedsignal.io — Sat, 28 Mar 2026 12:00:00 +0000

CVE-2026-4975 is a critical security vulnerability affecting Tenda AC15 routers running firmware version 15.03.05.19. This vulnerability resides in the formSetCfm function, specifically within the /goform/setcfm file, which handles POST requests. An attacker can exploit a stack-based buffer overflow by sending a crafted POST request with a malicious payload in the funcpara1 argument. The vulnerability is remotely exploitable, meaning an attacker does not need local access to the device…

eswifi Socket Offload Driver Buffer Overflow Vulnerability (CVE-2026-1679)

hello@craftedsignal.io — Sat, 28 Mar 2026 00:16:04 +0000

CVE-2026-1679 is a buffer overflow vulnerability affecting the eswifi socket offload driver. The vulnerability arises because the driver copies user-provided payloads into a fixed-size buffer without validating the input size. This can lead to an overflow of the eswifi->buf buffer, resulting in corruption of kernel memory (CWE-120). The Zephyr Project assigned a CVSS v3.1 score of 7.3 to this vulnerability. Exploitation requires local code execution to call the socket send API; it is not…

Totolink LR350 Remote Buffer Overflow Vulnerability (CVE-2026-4976)

hello@craftedsignal.io — Fri, 27 Mar 2026 21:17:28 +0000

A critical buffer overflow vulnerability, CVE-2026-4976, has been identified in Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setWiFiGuestCfg function within the /cgi-bin/cstecgi.cgi file. By crafting a malicious HTTP request and manipulating the ssid argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution on the device. The availability of a public exploit…

Tenda AC7 Stack-Based Buffer Overflow in SetSysTimeCfg

hello@craftedsignal.io — Fri, 27 Mar 2026 20:16:38 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda AC7 router firmware, specifically version 15.03.06.44. The vulnerability resides in the fromSetSysTime function within the /goform/SetSysTimeCfg component, which handles POST requests. A remote attacker can exploit this flaw by crafting a malicious POST request with an overly long Time argument, causing a buffer overflow on the stack. Publicly available exploits exist, increasing the risk of exploitation. Successful exploitation could lead to arbitrary code execution on the device, potentially granting the attacker complete control over the router. This is a critical vulnerability due to the ease of remote exploitation and the potential for significant impact.

Attack Chain

Attacker identifies a Tenda AC7 router running firmware version 15.03.06.44.
Attacker crafts a POST request targeting the /goform/SetSysTimeCfg endpoint.
The POST request includes the Time argument, set to a string exceeding the expected buffer size.
The fromSetSysTime function processes the Time argument without proper bounds checking.
The overly long Time argument overflows the stack buffer during the copy operation.
The buffer overflow overwrites critical data on the stack, including the return address.
The attacker controls the overwritten return address, redirecting execution flow to malicious code.
The attacker gains arbitrary code execution on the router, potentially leading to complete device compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda AC7 router. This can lead to a variety of malicious outcomes, including complete device compromise, modification of router settings (DNS, firewall rules), interception of network traffic, and use of the router as a botnet node. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting home users and small businesses.

Recommendation

Apply available patches or firmware updates provided by Tenda to address CVE-2026-4974.
Monitor webserver logs for POST requests to /goform/SetSysTimeCfg with abnormally long Time parameters, using the Sigma rule provided below.
Implement rate limiting on the /goform/SetSysTimeCfg endpoint to mitigate brute-force attempts to exploit the vulnerability.
Deploy the Sigma rule to detect processes spawned by the webserver after the exploit is triggered.

Tenda AC6 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 27 Mar 2026 17:16:30 +0000

A critical stack-based buffer overflow vulnerability has been identified in Tenda AC6 router firmware version 15.03.05.16. The vulnerability, tracked as CVE-2026-4960, resides within the fromWizardHandle function of the /goform/WizardHandle component, which handles POST requests. A remote attacker can exploit this vulnerability by sending a crafted POST request with a manipulated WANT or WANS argument, leading to arbitrary code execution on the device. Public exploit code is available, increasing the risk of widespread exploitation. This vulnerability poses a significant threat, potentially allowing attackers to gain complete control over vulnerable routers and compromise connected networks.

Attack Chain

Attacker identifies a Tenda AC6 router running firmware version 15.03.05.16.
The attacker crafts a malicious POST request targeting the /goform/WizardHandle endpoint.
Within the POST request, the attacker manipulates the WANT or WANS argument to inject a payload exceeding the buffer size.
The router processes the POST request, passing the attacker-controlled input to the vulnerable fromWizardHandle function.
The overflow occurs when the fromWizardHandle function copies the attacker-supplied data into a fixed-size buffer on the stack without proper bounds checking.
The injected payload overwrites adjacent memory locations on the stack, including the return address.
When the fromWizardHandle function returns, it jumps to the attacker-controlled address.
The attacker gains arbitrary code execution on the router, potentially leading to complete system compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control of the affected Tenda AC6 router. This can lead to a variety of malicious outcomes, including network hijacking, DNS poisoning, interception of network traffic, deployment of malware, and the creation of botnets. Given the widespread use of Tenda routers in home and small business networks, a large number of devices are potentially vulnerable. The CVSS v3.1 score of 8.8 reflects the high severity of this vulnerability.

Recommendation

Apply any available firmware updates from Tenda to patch CVE-2026-4960.
Monitor web server logs for suspicious POST requests to /goform/WizardHandle with abnormally long WANT or WANS parameters using the Sigma rule provided below.
Implement network intrusion detection system (NIDS) rules to detect exploit attempts targeting the /goform/WizardHandle endpoint.
Restrict access to the router’s web interface from the public internet where possible to reduce the attack surface.

Tenda AC5 Stack-Based Buffer Overflow Vulnerability (CVE-2026-4903)

hello@craftedsignal.io — Fri, 27 Mar 2026 12:00:00 +0000

CVE-2026-4903 describes a critical stack-based buffer overflow vulnerability affecting Tenda AC5 routers, specifically version 15.03.06.47. The vulnerability resides within the formQuickIndex function of the /goform/QuickIndex component, which handles POST requests. An attacker can remotely exploit this vulnerability by crafting a malicious POST request to /goform/QuickIndex with an overly long PPPOEPassword argument. This overflow allows the attacker to potentially overwrite adjacent…

EVerest CAN Interface Stack Buffer Overflow Vulnerability (CVE-2026-23995)

hello@craftedsignal.io — Fri, 27 Mar 2026 12:00:00 +0000

EVerest is an open-source software stack for electric vehicle (EV) charging infrastructure. A stack-based buffer overflow vulnerability, tracked as CVE-2026-23995, affects versions prior to 2026.02.0. The vulnerability stems from improper handling of CAN (Controller Area Network) interface names during initialization. Specifically, when an interface name exceeding IFNAMSIZ (16 bytes) is supplied to CAN open routines, the ifreq.ifr_name buffer overflows, potentially corrupting adjacent stack…

Tenda AC5 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 27 Mar 2026 00:16:24 +0000

A stack-based buffer overflow vulnerability, identified as CVE-2026-4905, has been discovered in Tenda AC5 home routers running firmware version 15.03.06.47. The vulnerability resides within the formWifiWpsOOB function in the /goform/WifiWpsOOB file, which handles POST requests. Attackers can remotely exploit this flaw by crafting a malicious POST request to this endpoint, specifically targeting the index argument. Successful exploitation leads to arbitrary code execution on the device…

EVerest IsoMux Certificate Filename Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 15:16:31 +0000

EVerest is an open-source software stack for electric vehicle (EV) charging infrastructure. Prior to version 2026.02.0, the IsoMux component contains a vulnerability related to certificate filename handling. Specifically, an off-by-one error occurs when validating the length of certificate filenames. If a filename in the certificate directory equals MAX_FILE_NAME_LENGTH (100 characters), a stack-based buffer overflow can be triggered. A malicious actor could exploit this vulnerability by creating a crafted filename, leading to the corruption of stack state and, potentially, arbitrary code execution. The vulnerability has a CVSS v3.1 score of 8.4 (HIGH). EVerest version 2026.02.0 addresses this issue with a patch.

Attack Chain

An attacker identifies a vulnerable EVerest instance running a version prior to 2026.02.0.
The attacker gains access to the certificate directory of the EVerest IsoMux component. The method of access is not specified in the report.
The attacker crafts a malicious filename with a length of 100 characters (MAX_FILE_NAME_LENGTH).
The attacker uploads or creates the crafted file within the certificate directory.
When IsoMux processes the certificate directory, the off-by-one error occurs during filename length validation.
The file_names[idx] buffer overflows, overwriting adjacent stack memory.
The overflow corrupts critical stack data, potentially including return addresses or other function parameters.
Upon function return, the corrupted return address is used, redirecting execution flow to attacker-controlled code, resulting in arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the EVerest system. This could lead to a compromise of the EV charging infrastructure, potentially disrupting charging services, modifying charging parameters, or gaining unauthorized access to sensitive data related to EV charging operations. Since EVerest is used in EV charging stations, a successful attack could impact multiple charging stations, depending on the deployment architecture, leading to a widespread disruption. The number of affected installations is currently unknown.

Recommendation

Upgrade EVerest to version 2026.02.0 or later to patch the vulnerability (CVE-2026-22593).
Monitor file creation events within the EVerest certificate directory for filenames with a length of 100 characters using a file_event rule.
Implement strict access controls to the certificate directory to prevent unauthorized file uploads or creation.
Deploy the provided Sigma rule to detect potential exploitation attempts by monitoring process creations related to the Everest software.

EVerest EV Charging Stack Remote Code Execution via Stack Buffer Overflow (CVE-2026-22790)

hello@craftedsignal.io — Thu, 26 Mar 2026 15:16:31 +0000

EVerest is an open-source software stack designed for managing EV charging infrastructure. Prior to version 2026.02.0, a critical vulnerability exists within the HomeplugMessage::setup_payload function. Specifically, the code trusts the len parameter after an assert statement during the processing of SLAC (Signal Level Attenuation Characterization) payloads. In release builds, the assert check is removed, which allows an attacker to send network frames with oversized SLAC payloads. This…

Tabs Mail Carrier 2.5.1 MAIL FROM Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:07 +0000

Tabs Mail Carrier 2.5.1 is susceptible to a critical buffer overflow vulnerability (CVE-2019-25646) affecting the MAIL FROM SMTP command. This flaw enables unauthenticated remote attackers to execute arbitrary code on the affected system. The vulnerability stems from insufficient bounds checking when processing the MAIL FROM parameter. By sending a specially crafted MAIL FROM command containing an oversized buffer, an attacker can overwrite the EIP register, hijack control flow, and ultimately execute a bind shell payload. This vulnerability can be exploited over the network via port 25 without requiring any prior authentication, making it easily exploitable. Successful exploitation grants the attacker complete control over the vulnerable system.

Attack Chain

The attacker connects to the target SMTP service on port 25.
The attacker sends a EHLO command to initiate communication with the SMTP server.
The attacker crafts a malicious MAIL FROM command with an oversized buffer.
The attacker sends the crafted MAIL FROM command to the SMTP server.
The oversized buffer overwrites the EIP register in memory.
The overwritten EIP register points to the attacker-controlled shellcode.
The shellcode executes, creating a bind shell on the target system.
The attacker connects to the bind shell and executes arbitrary commands.

Impact

Successful exploitation of this buffer overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Tabs Mail Carrier process. This can lead to complete system compromise, including data theft, modification, or destruction. Given the ease of exploitation and the severity of the impact, this vulnerability poses a significant risk to organizations using the affected software. There is no information on the number of victims or sectors targeted.

Recommendation

Deploy the Sigma rule Detecting SMTP MAIL FROM Buffer Overflow to your SIEM to identify exploitation attempts targeting this vulnerability based on oversized MAIL FROM commands.
Monitor network connections to port 25 for unusual traffic patterns, especially related to long MAIL FROM commands, to detect potential exploitation attempts (network_connection log source).
Consider using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to inspect and filter SMTP traffic for malicious MAIL FROM commands.
Upgrade to a patched version of Tabs Mail Carrier that addresses this vulnerability as soon as it becomes available.

X-NetStat Pro 5.63 Local Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:04 +0000

X-NetStat Pro version 5.63 is susceptible to a local buffer overflow vulnerability, identified as CVE-2019-25637. This flaw enables a local attacker to execute arbitrary code on a targeted system. The vulnerability stems from a 264-byte buffer overflow that allows overwriting the EIP register. Successful exploitation allows attackers to inject shellcode into memory, leveraging an egg hunter technique to pinpoint and trigger the malicious payload. The vulnerable functionality resides within the…

Base64 Decoder 1.1.2 Stack-Based Buffer Overflow (CVE-2019-25634)

hello@craftedsignal.io — Tue, 24 Mar 2026 12:16:04 +0000

Base64 Decoder version 1.1.2 is susceptible to a stack-based buffer overflow vulnerability, identified as CVE-2019-25634. This flaw enables a local attacker to execute arbitrary code on a vulnerable system. The vulnerability arises from insufficient bounds checking when processing input, allowing an attacker to overwrite critical parts of the stack. Successful exploitation requires the attacker to craft a malicious input file specifically designed to trigger the overflow. The impact of this…