{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-7034/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7034"}],"_cs_exploited":false,"_cs_products":["FH1202 1.2.0.14(408)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7034","buffer-overflow","router","tenda"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-7034, has been discovered in Tenda FH1202 version 1.2.0.14(408). The vulnerability resides within the \u003ccode\u003eWrlExtraSet\u003c/code\u003e function of the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e component, which is part of the device\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e server. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the \u003ccode\u003eGo\u003c/code\u003e argument, leading to arbitrary code execution on the affected device. The exploit for this vulnerability has been made public, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to users of the Tenda FH1202 router as it allows for complete compromise of the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda FH1202 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003eGo\u003c/code\u003e parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites critical return addresses on the stack.\u003c/li\u003e\n\u003cli\u003eThe overwritten return address is redirected to malicious code injected by the attacker within the overflowed buffer.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the device, potentially allowing for the installation of malware, modification of router settings, or interception of network traffic.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to gain complete control of the Tenda FH1202 router. This can lead to a variety of malicious activities, including installing persistent backdoors, modifying DNS settings to redirect traffic, or using the compromised device as part of a botnet. The lack of required authentication for exploitation increases the severity, making it easily exploitable. While the exact number of affected devices is unknown, the widespread use of Tenda routers suggests a potentially large number of vulnerable targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e with unusually long \u003ccode\u003eGo\u003c/code\u003e parameter values to detect potential exploitation attempts. Reference the Sigma rule \u003ccode\u003eDetect Suspicious WrlExtraSet Requests\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for requests to the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e endpoint to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider blocking or alerting on requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e originating from outside the expected user base (e.g., requests originating from outside the country where the organization operates).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-tenda-fh1202-bo/","summary":"A stack-based buffer overflow vulnerability exists in the Tenda FH1202 router, specifically in the WrlExtraSet function, allowing remote attackers to execute arbitrary code by manipulating the 'Go' argument in a request to /goform/WrlExtraSet.","title":"Tenda FH1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-7034)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-fh1202-bo/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-7034","version":"https://jsonfeed.org/version/1.1"}