{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6120/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6120"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer-overflow","cve-2026-6120","iot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in Tenda F451 router firmware version 1.0.0.7. The vulnerability resides in the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function within the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e component\u0026rsquo;s httpd service. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious \u003ccode\u003epage\u003c/code\u003e argument. This can lead to arbitrary code execution on the device. Given the public availability of the exploit (CVE-2026-6120), Tenda F451 routers are at immediate risk of compromise if not properly secured. This vulnerability poses a significant threat due to the widespread use of Tenda routers in home and small office environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda F451 router running vulnerable firmware version 1.0.0.7.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003epage\u003c/code\u003e argument with a string exceeding the buffer size allocated for it in the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e service on the router receives the malicious request and passes the \u003ccode\u003epage\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromDhcpListClient\u003c/code\u003e function attempts to copy the oversized \u003ccode\u003epage\u003c/code\u003e argument into a fixed-size buffer on the stack, causing a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent stack memory, including the return address of the function.\u003c/li\u003e\n\u003cli\u003eThe attacker controls the overwritten return address, redirecting execution to attacker-controlled code or a ROP chain.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially leading to complete device compromise and network access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the Tenda F451 router. This allows attackers to control the device, intercept network traffic, change DNS settings, inject malicious scripts into web pages served to connected devices, or use the router as a pivot point for further attacks within the network. This vulnerability affects all users of the Tenda F451 router running firmware version 1.0.0.7, potentially impacting thousands of devices globally. Given the high CVSS score of 8.8, the risk is substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint, especially those with unusually long \u003ccode\u003epage\u003c/code\u003e parameters (refer to the rule \u003ccode\u003eTenda F451 Suspicious URI Length\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInspect network traffic for abnormal patterns related to compromised routers (unusual DNS requests, connections to known malicious IPs).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and input validation on web server endpoints where possible to mitigate buffer overflow attempts.\u003c/li\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-6120, although patches may not be available.\u003c/li\u003e\n\u003cli\u003eConsider deploying network intrusion detection systems (NIDS) to identify and block exploitation attempts (refer to the \u003ccode\u003eTenda F451 Buffer Overflow Attempt\u003c/code\u003e rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T12:00:00Z","date_published":"2026-04-12T12:00:00Z","id":"/briefs/2026-04-tenda-f451-bo/","summary":"A remote stack-based buffer overflow vulnerability exists in the fromDhcpListClient function of the /goform/DhcpListClient component (httpd) within Tenda F451 firmware version 1.0.0.7, triggered by manipulating the 'page' argument, potentially allowing for arbitrary code execution.","title":"Tenda F451 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f451-bo/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6120","version":"https://jsonfeed.org/version/1.1"}