{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5830/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5830"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5830","tenda","router","buffer-overflow","stack-overflow"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, tracked as CVE-2026-5830, has been identified in Tenda AC15 routers running firmware version 15.03.05.18. The vulnerability resides in the \u003ccode\u003ewebsGetVar\u003c/code\u003e function within the \u003ccode\u003e/goform/SysToolChangePwd\u003c/code\u003e file, which handles password change requests. By crafting malicious requests and manipulating the \u003ccode\u003eoldPwd\u003c/code\u003e, \u003ccode\u003enewPwd\u003c/code\u003e, or \u003ccode\u003ecfmPwd\u003c/code\u003e arguments, an attacker can overwrite the stack, potentially leading to arbitrary code execution. The vulnerability is remotely exploitable by an authenticated user, and publicly available exploit code exists, increasing the risk of widespread exploitation. This poses a significant threat to home and small business networks using affected Tenda AC15 routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the router\u0026rsquo;s web management interface, potentially through weak credentials or brute-forcing.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to \u003ccode\u003e/goform/SysToolChangePwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes oversized data within the \u003ccode\u003eoldPwd\u003c/code\u003e, \u003ccode\u003enewPwd\u003c/code\u003e, or \u003ccode\u003ecfmPwd\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewebsGetVar\u003c/code\u003e function processes the request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized data overflows the stack buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address on the stack.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewebsGetVar\u003c/code\u003e function returns, diverting execution to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled address contains shellcode that executes arbitrary commands, potentially granting complete control over the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda AC15 router. This could lead to complete device compromise, including unauthorized access to network traffic, modification of router settings, installation of malware, and use of the compromised device as a botnet node. Given the potentially widespread use of Tenda AC15 routers in home and small business environments, a large number of devices could be vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches from Tenda to remediate CVE-2026-5830 as soon as they become available.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for suspicious POST requests to \u003ccode\u003e/goform/SysToolChangePwd\u003c/code\u003e with unusually long \u003ccode\u003eoldPwd\u003c/code\u003e, \u003ccode\u003enewPwd\u003c/code\u003e, or \u003ccode\u003ecfmPwd\u003c/code\u003e parameters and deploy the Sigma rule \u003ccode\u003eDetect Tenda AC15 Password Change Overflow\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to prevent unauthorized access to the router\u0026rsquo;s web management interface.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s web management interface to trusted networks only by configuring firewall rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T02:16:17Z","date_published":"2026-04-09T02:16:17Z","id":"/briefs/2026-04-tenda-ac15-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5830) in Tenda AC15 firmware version 15.03.05.18 allows remote attackers to execute arbitrary code by manipulating password change parameters, potentially leading to complete device compromise.","title":"Tenda AC15 Router Stack-Based Buffer Overflow (CVE-2026-5830)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-ac15-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5830","version":"https://jsonfeed.org/version/1.1"}