{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6121/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6121"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6121","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6121 is a stack-based buffer overflow vulnerability affecting Tenda F451 router version 1.0.0.7. The vulnerability resides within the \u003ccode\u003eWrlclientSet\u003c/code\u003e function located in the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e file of the \u003ccode\u003ehttpd\u003c/code\u003e component. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the affected router, specifically manipulating the \u003ccode\u003eGO\u003c/code\u003e argument. Due to insufficient bounds checking on the \u003ccode\u003eGO\u003c/code\u003e argument\u0026rsquo;s size when passed to the \u003ccode\u003eWrlclientSet\u003c/code\u003e function, an attacker can write beyond the allocated buffer on the stack, potentially leading to arbitrary code execution. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers that are accessible from the internet are at highest risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda F451 router version 1.0.0.7 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP POST request, the attacker includes the \u003ccode\u003eGO\u003c/code\u003e argument, filling it with a payload exceeding the buffer size allocated for it within the \u003ccode\u003eWrlclientSet\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e component of the Tenda F451 router receives the HTTP request and passes the \u003ccode\u003eGO\u003c/code\u003e argument to the vulnerable \u003ccode\u003eWrlclientSet\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the buffer overflow, the attacker\u0026rsquo;s payload overwrites adjacent memory locations on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload overwrites the return address on the stack, redirecting execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process, allowing the attacker to perform actions such as modifying router configuration, executing system commands, or establishing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the router and potentially the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6121 can lead to complete compromise of the affected Tenda F451 router. An attacker can gain unauthorized access to the device\u0026rsquo;s configuration, potentially modifying DNS settings, firewall rules, or other critical parameters. This can lead to redirection of user traffic, denial-of-service attacks, or the establishment of a foothold within the targeted network for further malicious activities. Given the ease of exploitation due to the publicly available exploit code, a large number of Tenda F451 routers could be compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e with abnormally long \u003ccode\u003eGO\u003c/code\u003e parameter values to detect potential exploitation attempts (see Sigma rule below and enable webserver logging).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for requests to the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e endpoint to mitigate potential brute-force exploitation attempts (configure your firewall or WAF).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched firmware version when available or replace the affected devices, if the vendor does not provide a fix.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T08:16:36Z","date_published":"2026-04-12T08:16:36Z","id":"/briefs/2026-04-tenda-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-6121) exists in the WrlclientSet function of the /goform/WrlclientSet file in the httpd component of Tenda F451 version 1.0.0.7, allowing remote attackers to execute arbitrary code by manipulating the GO argument.","title":"Tenda F451 Stack-Based Buffer Overflow Vulnerability (CVE-2026-6121)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6121","version":"https://jsonfeed.org/version/1.1"}