{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5686/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5686"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5686","tenda","router","stack-based buffer overflow","remote code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5686 is a critical vulnerability affecting Tenda CX12L routers running firmware version 16.03.53.12. This stack-based buffer overflow is located in the \u003ccode\u003efromRouteStatic\u003c/code\u003e function within the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e file. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request with a malicious \u003ccode\u003epage\u003c/code\u003e argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could lead to arbitrary code execution, potentially allowing attackers to gain full control of the affected router. This poses a significant risk to home and small business networks using the vulnerable device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda CX12L router running firmware version 16.03.53.12.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epage\u003c/code\u003e argument with a string exceeding the buffer size allocated to the \u003ccode\u003efromRouteStatic\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003epage\u003c/code\u003e argument overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromRouteStatic\u003c/code\u003e function returns, it attempts to jump to the overwritten return address controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload, injected via the overflowed buffer, is executed with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the compromised router as a foothold for further attacks, such as network reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5686 allows a remote attacker to execute arbitrary code on the affected Tenda CX12L router. This could lead to a complete compromise of the device, enabling attackers to modify router settings, intercept network traffic, or use the router as a proxy for malicious activities. Given the widespread use of Tenda routers in home and small business networks, this vulnerability could have a significant impact, potentially affecting thousands of users. A successful attack could lead to data breaches, service disruptions, and further compromise of connected devices within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates provided by Tenda to address CVE-2026-5686.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) to detect and block exploit attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s administrative interface to trusted networks or IP addresses to limit the attack surface.\u003c/li\u003e\n\u003cli\u003eRegularly review router configurations and security settings to ensure they align with best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T22:16:24Z","date_published":"2026-04-06T22:16:24Z","id":"/briefs/2026-04-tenda-cx12l-stack-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5686) exists in the Tenda CX12L router version 16.03.53.12, allowing remote attackers to potentially execute arbitrary code by manipulating the 'page' argument in the `/goform/RouteStatic` endpoint.","title":"Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-5686)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-stack-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5686","version":"https://jsonfeed.org/version/1.1"}