{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5684/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-5684"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["tenda","router","buffer-overflow","cve-2026-5684"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability has been identified in Tenda CX12L routers running firmware version 16.03.53.12. The vulnerability resides within the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function in the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e file.  An attacker with local network access can exploit this flaw by manipulating the \u003ccode\u003epage\u003c/code\u003e argument passed to this function, leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-5684, has a CVSS v3.1 score of 8.0, indicating a high severity. Public exploits for this vulnerability are available, making it crucial for network administrators to address this issue promptly. Successful exploitation could allow an attacker to gain complete control of the router, potentially leading to data theft, network compromise, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the local network where the Tenda CX12L router is located.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003epage\u003c/code\u003e argument with a payload exceeding the buffer size allocated for it within the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router processes the HTTP request and passes the overly long \u003ccode\u003epage\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function attempts to write the contents of the \u003ccode\u003epage\u003c/code\u003e argument into a fixed-size buffer on the stack.\u003c/li\u003e\n\u003cli\u003eDue to the excessive length of the \u003ccode\u003epage\u003c/code\u003e argument, the buffer overflows, overwriting adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the buffer overflow to overwrite the return address on the stack with the address of malicious code or a ROP chain.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function returns, control is transferred to the attacker-controlled code, allowing for arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5684 allows an attacker with local network access to gain complete control of the affected Tenda CX12L router. This can lead to a variety of malicious activities, including unauthorized access to network traffic, modification of router settings, deployment of malicious firmware, and use of the compromised router as a botnet node. Given the availability of public exploits, organizations using this router model are at significant risk. The number of potential victims is dependent on the number of unpatched Tenda CX12L devices deployed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor webserver logs for HTTP requests targeting the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e endpoint with abnormally long \u003ccode\u003epage\u003c/code\u003e parameters to detect potential exploitation attempts. (Log Source: webserver, Rule: \u0026ldquo;Detect Tenda CX12L Web Request with Long Page Parameter\u0026rdquo;)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda CX12L Stack Buffer Overflow Attempt\u0026rdquo; to identify suspicious process creations following a potential exploit.\u003c/li\u003e\n\u003cli\u003eReview and restrict local network access to the Tenda CX12L router to reduce the attack surface, as the exploit requires local network access.\u003c/li\u003e\n\u003cli\u003eContact Tenda for a security patch or firmware update to address CVE-2026-5684.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T22:16:24Z","date_published":"2026-04-06T22:16:24Z","id":"/briefs/2026-04-tenda-cx12l-buffer-overflow/","summary":"A stack-based buffer overflow vulnerability exists in the Tenda CX12L router (version 16.03.53.12) due to improper handling of the 'page' argument in the 'fromwebExcptypemanFilter' function, potentially allowing attackers with local network access to execute arbitrary code.","title":"Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5684","version":"https://jsonfeed.org/version/1.1"}