Cve-2026-5684 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-5684/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 06 Apr 2026 22:16:24 +0000Tenda CX12L Router Stack-Based Buffer Overflow Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-buffer-overflow/Mon, 06 Apr 2026 22:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-buffer-overflow/A stack-based buffer overflow vulnerability exists in the Tenda CX12L router (version 16.03.53.12) due to improper handling of the 'page' argument in the 'fromwebExcptypemanFilter' function, potentially allowing attackers with local network access to execute arbitrary code.A critical stack-based buffer overflow vulnerability has been identified in Tenda CX12L routers running firmware version 16.03.53.12. The vulnerability resides within the fromwebExcptypemanFilter function in the /goform/webExcptypemanFilter file. An attacker with local network access can exploit this flaw by manipulating the page argument passed to this function, leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-5684, has a CVSS v3.1 score of 8.0, indicating a high severity. Public exploits for this vulnerability are available, making it crucial for network administrators to address this issue promptly. Successful exploitation could allow an attacker to gain complete control of the router, potentially leading to data theft, network compromise, or denial of service.

Attack Chain

  1. Attacker gains access to the local network where the Tenda CX12L router is located.
  2. The attacker crafts a malicious HTTP request targeting the /goform/webExcptypemanFilter endpoint.
  3. The crafted request includes a page argument with a payload exceeding the buffer size allocated for it within the fromwebExcptypemanFilter function.
  4. The router processes the HTTP request and passes the overly long page argument to the vulnerable function.
  5. The fromwebExcptypemanFilter function attempts to write the contents of the page argument into a fixed-size buffer on the stack.
  6. Due to the excessive length of the page argument, the buffer overflows, overwriting adjacent memory regions on the stack.
  7. The attacker leverages the buffer overflow to overwrite the return address on the stack with the address of malicious code or a ROP chain.
  8. When the fromwebExcptypemanFilter function returns, control is transferred to the attacker-controlled code, allowing for arbitrary code execution.

Impact

Successful exploitation of CVE-2026-5684 allows an attacker with local network access to gain complete control of the affected Tenda CX12L router. This can lead to a variety of malicious activities, including unauthorized access to network traffic, modification of router settings, deployment of malicious firmware, and use of the compromised router as a botnet node. Given the availability of public exploits, organizations using this router model are at significant risk. The number of potential victims is dependent on the number of unpatched Tenda CX12L devices deployed.

Recommendation

  • Monitor webserver logs for HTTP requests targeting the /goform/webExcptypemanFilter endpoint with abnormally long page parameters to detect potential exploitation attempts. (Log Source: webserver, Rule: “Detect Tenda CX12L Web Request with Long Page Parameter”)
  • Deploy the Sigma rule “Detect Tenda CX12L Stack Buffer Overflow Attempt” to identify suspicious process creations following a potential exploit.
  • Review and restrict local network access to the Tenda CX12L router to reduce the attack surface, as the exploit requires local network access.
  • Contact Tenda for a security patch or firmware update to address CVE-2026-5684.
]]>highadvisorytendarouterbuffer-overflowcve-2026-5684