{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4960/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4960","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability has been identified in Tenda AC6 router firmware version 15.03.05.16. The vulnerability, tracked as CVE-2026-4960, resides within the \u003ccode\u003efromWizardHandle\u003c/code\u003e function of the \u003ccode\u003e/goform/WizardHandle\u003c/code\u003e component, which handles POST requests. A remote attacker can exploit this vulnerability by sending a crafted POST request with a manipulated \u003ccode\u003eWANT\u003c/code\u003e or \u003ccode\u003eWANS\u003c/code\u003e argument, leading to arbitrary code execution on the device. Public exploit code is available, increasing the risk of widespread exploitation. This vulnerability poses a significant threat, potentially allowing attackers to gain complete control over vulnerable routers and compromise connected networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda AC6 router running firmware version 15.03.05.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/goform/WizardHandle\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker manipulates the \u003ccode\u003eWANT\u003c/code\u003e or \u003ccode\u003eWANS\u003c/code\u003e argument to inject a payload exceeding the buffer size.\u003c/li\u003e\n\u003cli\u003eThe router processes the POST request, passing the attacker-controlled input to the vulnerable \u003ccode\u003efromWizardHandle\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe overflow occurs when the \u003ccode\u003efromWizardHandle\u003c/code\u003e function copies the attacker-supplied data into a fixed-size buffer on the stack without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe injected payload overwrites adjacent memory locations on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromWizardHandle\u003c/code\u003e function returns, it jumps to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to gain complete control of the affected Tenda AC6 router. This can lead to a variety of malicious outcomes, including network hijacking, DNS poisoning, interception of network traffic, deployment of malware, and the creation of botnets. Given the widespread use of Tenda routers in home and small business networks, a large number of devices are potentially vulnerable. The CVSS v3.1 score of 8.8 reflects the high severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-4960.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/WizardHandle\u003c/code\u003e with abnormally long \u003ccode\u003eWANT\u003c/code\u003e or \u003ccode\u003eWANS\u003c/code\u003e parameters using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (NIDS) rules to detect exploit attempts targeting the \u003ccode\u003e/goform/WizardHandle\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s web interface from the public internet where possible to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T17:16:30Z","date_published":"2026-03-27T17:16:30Z","id":"/briefs/2026-03-tenda-ac6-overflow/","summary":"A stack-based buffer overflow vulnerability in Tenda AC6 version 15.03.05.16 allows remote attackers to execute arbitrary code by manipulating the WANT/WANS argument in the /goform/WizardHandle POST request handler.","title":"Tenda AC6 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ac6-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4960","version":"https://jsonfeed.org/version/1.1"}