https://feed.craftedsignal.io/tags/iot/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 May 2026 00:16:25 +0000https://feed.craftedsignal.io/briefs/2026-05-utt-hiper-buffer-overflow/Fri, 01 May 2026 00:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-utt-hiper-buffer-overflow/A buffer overflow vulnerability exists in UTT HiPER 1200GW devices up to version 2.5.3-170306, stemming from manipulation of the `strcpy` function in the `/goform/formRemoteControl` file, which allows remote attackers to execute arbitrary code.A buffer overflow vulnerability has been identified in UTT HiPER 1200GW devices with firmware versions up to 2.5.3-170306. The flaw resides within the strcpy function of the /goform/formRemoteControl file, which handles remote control functionalities. A remote attacker can exploit this vulnerability by sending a specially crafted request to trigger the buffer overflow, potentially leading to arbitrary code execution on the affected device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using the affected UTT HiPER 1200GW devices, as it could allow attackers to gain unauthorized access and control over the device and potentially the network it is connected to.

Attack Chain

1. Attacker identifies a vulnerable UTT HiPER 1200GW device exposed to the internet.
2. Attacker crafts a malicious HTTP request targeting the /goform/formRemoteControl endpoint.
3. The malicious request includes a payload designed to overflow the buffer when processed by the strcpy function.
4. The vulnerable strcpy function within /goform/formRemoteControl copies the attacker-controlled data without proper bounds checking.
5. The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
6. The attacker leverages the overflow to inject and execute arbitrary code on the device.
7. The attacker gains control of the device, potentially escalating privileges.
8. The attacker uses the compromised device to pivot to other systems on the network, exfiltrate sensitive data, or cause further damage.

Impact

Successful exploitation of this vulnerability could lead to complete compromise of the affected UTT HiPER 1200GW device. Attackers could gain unauthorized access to sensitive data, disrupt device functionality, or use the device as a foothold for further attacks within the network. Given that public exploits are available, the risk of widespread exploitation is high. While the exact number of affected devices is unknown, organizations using UTT HiPER 1200GW devices should take immediate action to mitigate this vulnerability.

Recommendation

• Apply available patches or firmware updates from UTT to address the buffer overflow vulnerability in UTT HiPER 1200GW devices.
• Monitor network traffic for suspicious requests targeting the /goform/formRemoteControl endpoint, and deploy the Sigma rule Detect Suspicious Requests to FormRemoteControl to identify potentially malicious activity.
• Implement input validation and sanitization measures to prevent buffer overflows in web applications.
• Consider network segmentation to limit the impact of a compromised device on other systems within the network.
• Review and restrict access to the device’s web interface to only authorized personnel.

]]>criticalthreatbuffer-overflowiotroutercvehttps://feed.craftedsignal.io/briefs/2026-04-utt-hiper-buffer-overflow/Wed, 29 Apr 2026 23:16:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-utt-hiper-buffer-overflow/A buffer overflow vulnerability in UTT HiPER 1250GW devices (versions up to 3.2.7-210907-180535) allows remote attackers to execute arbitrary code by manipulating the 'Profile' argument in the `strcpy` function of the `route/goform/ConfigAdvideo` file, due to insufficient bounds checking.A critical buffer overflow vulnerability, CVE-2026-7420, has been identified in UTT HiPER 1250GW devices. The vulnerability exists in versions up to 3.2.7-210907-180535. The vulnerability lies within the strcpy function in the route/goform/ConfigAdvideo file, where the ‘Profile’ argument is not properly validated, leading to a buffer overflow condition. This allows unauthenticated remote attackers to potentially execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of exploitation. Defenders should implement mitigations and detection strategies immediately.

Attack Chain

1. The attacker identifies a vulnerable UTT HiPER 1250GW device exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the route/goform/ConfigAdvideo endpoint.
3. The HTTP request includes a ‘Profile’ argument with a payload exceeding the buffer size allocated for it.
4. The strcpy function attempts to copy the oversized ‘Profile’ argument into the undersized buffer.
5. The buffer overflow occurs, overwriting adjacent memory regions.
6. The attacker injects malicious code into the overflowed memory region to gain code execution.
7. The attacker achieves remote code execution on the UTT HiPER 1250GW device.
8. The attacker gains control of the device, potentially using it for further malicious activities such as lateral movement, data exfiltration, or denial-of-service attacks.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the UTT HiPER 1250GW device. This can lead to complete compromise of the device, potentially enabling attackers to gain unauthorized access to the network it is connected to, exfiltrate sensitive data, or use the device as a bot in a botnet. The impact is significant, especially if these devices are used in critical infrastructure or sensitive environments.

Recommendation

• Apply available patches or firmware updates for UTT HiPER 1250GW devices to remediate CVE-2026-7420.
• Implement network segmentation to isolate UTT HiPER 1250GW devices from critical network segments.
• Deploy the Sigma rule Detect UTT HiPER Buffer Overflow Attempt to identify malicious HTTP requests targeting the route/goform/ConfigAdvideo endpoint.
• Monitor web server logs for unusual activity and large ‘Profile’ argument values in requests to route/goform/ConfigAdvideo to identify potential exploitation attempts.

]]>criticaladvisorybuffer-overflowremote-code-executioniothttps://feed.craftedsignal.io/briefs/2026-04-totolink-n300rt-bo/Tue, 28 Apr 2026 04:16:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-totolink-n300rt-bo/A remote buffer overflow vulnerability exists in Totolink N300RT 3.4.0-B20250430 via manipulation of the 'entry_name' argument in the /boafrm/formIpQoS file, potentially leading to arbitrary code execution.A buffer overflow vulnerability, identified as CVE-2026-7219, has been discovered in Totolink N300RT router firmware version 3.4.0-B20250430. The vulnerability resides within the /boafrm/formIpQoS file and is triggered by manipulating the entry_name argument. An attacker can exploit this flaw remotely to potentially execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to devices running the affected firmware, potentially allowing attackers to gain unauthorized access and control over the router.

Attack Chain

1. An attacker identifies a Totolink N300RT device running firmware version 3.4.0-B20250430.
2. The attacker crafts a malicious HTTP request targeting the /boafrm/formIpQoS file.
3. The crafted request includes a payload designed to overflow the buffer associated with the entry_name argument.
4. The router’s web server processes the malicious request, leading to a buffer overflow condition.
5. The attacker overwrites adjacent memory regions, potentially including return addresses or other critical data.
6. Upon function return, the overwritten return address is used, diverting execution flow to attacker-controlled code.
7. The attacker gains arbitrary code execution on the device.
8. The attacker can then use this access to modify router settings, intercept network traffic, or establish a persistent backdoor.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Totolink N300RT device. This could lead to complete compromise of the router, enabling attackers to monitor network traffic, change DNS settings, or use the device as part of a botnet. Given the number of Totolink N300RT devices deployed, this vulnerability could have a widespread impact, especially for home and small business users.

Recommendation

• Monitor web server logs for requests targeting /boafrm/formIpQoS with unusually long entry_name parameters to detect potential exploitation attempts. Implement the Sigma rule Detect Suspicious Totolink FormIpQoS Requests.
• Apply firmware updates as soon as they are released by Totolink to patch CVE-2026-7219.
• Implement network segmentation to limit the impact of a compromised router on other devices on the network.
• Consider using a web application firewall (WAF) to filter out malicious requests targeting the router’s web interface and activate the Detect Large POST Requests to Router Config Pages Sigma rule.

]]>highadvisorybuffer-overflowiotroutercve-2026-7219https://feed.craftedsignal.io/briefs/2026-04-dlink-dir822-cmd-injection/Mon, 27 Apr 2026 00:20:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir822-cmd-injection/A command injection vulnerability exists in D-Link DIR-822 A_101, specifically within the udhcpd DHCP service; by manipulating the Hostname argument, a remote attacker can inject commands, but the affected product is no longer supported.A command injection vulnerability, tracked as CVE-2026-7067, has been identified in D-Link DIR-822 hardware with firmware version A_101. The vulnerability lies within the udhcpd DHCP service, specifically in the handling of the Hostname argument in the /udhcpcd/dhcpd.c file. A remote attacker can exploit this flaw by injecting arbitrary commands through a crafted Hostname field in a DHCP request. While a proof-of-concept exploit is publicly available, this vulnerability is less impactful because the D-Link DIR-822 A_101 is no longer supported by the vendor, potentially limiting the number of affected devices.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-822 A_101 device.
2. The attacker crafts a malicious DHCP request containing a command injection payload in the Hostname field.
3. The attacker sends the crafted DHCP request to the vulnerable device.
4. The udhcpd service parses the DHCP request and extracts the Hostname.
5. Due to insufficient input validation, the injected command within the Hostname is passed to the system function.
6. The system function executes the injected command with the privileges of the udhcpd process (typically root).
7. The attacker achieves arbitrary code execution on the device.
8. The attacker can then perform actions such as gaining persistent access, modifying device configuration, or using the device as part of a botnet.

Impact

Successful exploitation of this command injection vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected D-Link DIR-822 A_101 device. Given the end-of-life status of the product, patching is unlikely, leaving devices vulnerable. An attacker could leverage this vulnerability to gain complete control of the router, potentially compromising networks connected to it. The specific number of vulnerable devices is unknown, but the impact could be significant if many devices remain in use.

Recommendation

• Deploy the Sigma rule to detect command injection attempts via DHCP Hostname (Sigma rule: DHCP Hostname Command Injection).
• Monitor network traffic for suspicious DHCP requests containing unusual characters or command sequences in the Hostname field, using network monitoring tools.
• Consider network segmentation to isolate potentially vulnerable D-Link DIR-822 A_101 devices from critical network resources.
• If replacement is not immediately feasible, implement strict access control lists on the firewall to limit access to the D-Link DIR-822 A_101 device’s management interface.

]]>highadvisorycommand-injectiondhcpiothttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg10-bo/Sat, 25 Apr 2026 18:18:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg10-bo/A buffer overflow vulnerability in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon allows remote attackers to execute arbitrary code by manipulating the nextHop argument in the formRoute function of the /boaform/formRouting file, impacting device availability and integrity.A buffer overflow vulnerability, identified as CVE-2026-6988, has been discovered in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon. The vulnerability resides within the Boa Service, specifically affecting the formRoute function located in the /boaform/formRouting file. Successful exploitation of this flaw enables a remote attacker to overwrite memory by crafting a malicious request with a manipulated nextHop argument. This can lead to arbitrary code execution on the affected device. Given the potential for remote exploitation and the availability of a published exploit, this vulnerability poses a significant threat.

Attack Chain

1. The attacker identifies a vulnerable Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device with the vulnerable Boa web service exposed.
2. The attacker crafts a malicious HTTP request targeting the /boaform/formRouting endpoint.
3. The crafted request includes a specially crafted nextHop argument, exceeding the buffer size allocated for it.
4. The Boa service processes the request without proper bounds checking on the nextHop argument.
5. The oversized nextHop argument overwrites adjacent memory regions, including critical program data or return addresses.
6. The overwritten return address redirects execution flow to attacker-controlled code.
7. The attacker executes arbitrary code on the device with the privileges of the Boa service.
8. The attacker gains control of the device, potentially leading to data exfiltration, device hijacking, or further network compromise.

Impact

Successful exploitation of CVE-2026-6988 can lead to complete compromise of the affected Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device. This may result in unauthorized access to the device’s configuration, sensitive data exposure, or the device being used as a bot in a larger attack. Given that this device is likely used in home or small business environments, a successful attack could lead to significant data breaches, financial losses, and reputational damage. The availability of a public exploit increases the likelihood of widespread exploitation.

Recommendation

• Apply available patches or firmware updates released by Tenda to address CVE-2026-6988 as soon as possible.
• Implement network segmentation to limit the exposure of Tenda devices to the internet or untrusted networks.
• Monitor web server logs for suspicious activity targeting the /boaform/formRouting endpoint to detect potential exploit attempts (webserver log source).
• Deploy the Sigma rule “Detect Tenda HG10 Buffer Overflow Attempt” to identify malicious HTTP requests exploiting the nextHop argument (Sigma rule).
• Implement rate limiting on the /boaform/formRouting endpoint to mitigate potential brute-force exploitation attempts.

]]>criticaladvisorybuffer-overflowcve-2026-6988tendaiothttps://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/Thu, 23 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/A new Mirai-based malware campaign is exploiting CVE-2025-29635, a command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.A new Mirai-based malware campaign has been observed exploiting CVE-2025-29635, a high-severity command injection vulnerability affecting D-Link DIR-823X routers. Discovered by Akamai’s SIRT in March 2026, the campaign involves attackers sending malicious POST requests to vulnerable D-Link routers to execute arbitrary commands. This vulnerability allows attackers to download and execute a shell script, ultimately leading to the deployment of Mirai-based malware. The affected D-Link routers reached end-of-life in November 2024, meaning a patch is unlikely. The same actor is also exploiting CVE-2023-1389 impacting TP-Link routers, and an RCE flaw in ZTE ZXV10 H108L routers, deploying the same Mirai payload.

Attack Chain

1. The attacker sends a POST request to the /goform/set_prohibiting endpoint on the D-Link DIR-823X router.
2. The POST request exploits CVE-2025-29635 to inject and execute arbitrary commands.
3. The injected commands change directories across writable paths on the router.
4. A shell script named dlink.sh is downloaded from an external IP address.
5. The dlink.sh script is executed on the compromised router.
6. The script installs a Mirai-based malware variant named “tuxnokill”.
7. “tuxnokill” establishes persistence and begins scanning for new targets.
8. The compromised device is then used to launch DDoS attacks, leveraging Mirai’s standard capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.

Impact

Successful exploitation of CVE-2025-29635 allows attackers to remotely execute arbitrary commands on vulnerable D-Link DIR-823X routers. The compromised routers are then incorporated into the Mirai botnet, increasing its size and DDoS capabilities. Given that these routers are end-of-life, many remain unpatched, potentially leading to a large number of compromised devices. This can result in network disruptions and service outages for targeted entities, as well as potential data exfiltration.

Recommendation

• Monitor network traffic for POST requests to the /goform/set_prohibiting endpoint on D-Link routers, as described in the Attack Chain, to detect potential exploitation attempts.
• Deploy the Sigma rule Detect Mirai dlink.sh Download to identify attempts to download the malicious shell script.
• If using affected D-Link DIR-823X routers, TP-Link, or ZTE ZXV10 H108L routers, upgrade to a supported device or implement network segmentation to limit potential damage.
• Block the external IP address hosting the dlink.sh script if it can be reliably determined and is observed on your network.

]]>criticaladvisorymiraiddosrceiothttps://feed.craftedsignal.io/briefs/2026-04-anviz-auth-bypass/Fri, 17 Apr 2026 20:16:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-anviz-auth-bypass/Anviz CX2 Lite and CX7 devices are vulnerable to unauthenticated POST requests that allow modification of debug settings such as enabling SSH, leading to unauthorized state changes and potential compromise.CVE-2026-40461 describes a vulnerability affecting Anviz CX2 Lite and CX7 devices. The vulnerability allows unauthenticated attackers to send POST requests that modify debug settings on the devices. A successful exploit can enable features like SSH, which are normally restricted. This unauthorized configuration change could be leveraged to gain unauthorized access to the device and potentially the network it is connected to, allowing for further malicious activity. The vulnerability was disclosed in April 2026 and poses a significant risk to organizations using the affected Anviz devices for access control.

Attack Chain

1. The attacker identifies an Anviz CX2 Lite or CX7 device on the network.
2. The attacker sends an unauthenticated POST request to the device’s web interface.
3. The POST request targets a specific endpoint responsible for modifying debug settings.
4. The request includes parameters that enable debug features, such as SSH.
5. The device improperly processes the request without requiring authentication, modifying the debug settings accordingly.
6. The attacker uses the newly enabled SSH service to gain shell access to the device.
7. The attacker leverages the gained access to escalate privileges, move laterally within the network, or exfiltrate sensitive information.

Impact

Successful exploitation of CVE-2026-40461 allows an attacker to modify device settings, potentially enabling unauthorized access and control over Anviz CX2 Lite and CX7 devices. This can lead to a compromise of the physical security system and potentially the entire network. The impact includes unauthorized entry, data breaches, and disruption of operations. The number of affected devices and organizations is currently unknown.

Recommendation

• Monitor network traffic for POST requests targeting Anviz CX2 Lite and CX7 devices attempting to modify debug settings. Deploy the Sigma rule Detect Anviz Debug Setting Modification to identify such activity.
• Implement network segmentation to isolate Anviz devices from critical network resources to limit the impact of a potential compromise.
• Consult the vendor’s website (https://www.anviz.com/contact-us.html) and CISA advisory (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03) for any available patches or mitigations.

]]>highadvisorycve-2026-40461authentication-bypassiothttps://feed.craftedsignal.io/briefs/2026-04-anviz-command-injection/Fri, 17 Apr 2026 20:16:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-anviz-command-injection/Anviz CX2 Lite is vulnerable to an authenticated command injection via the filename parameter, leading to arbitrary command execution and root-level access.CVE-2026-35682 describes an authenticated command injection vulnerability in Anviz CX2 Lite devices. An attacker with valid user credentials can inject arbitrary commands into the filename parameter, leading to remote code execution with root privileges. The vulnerability allows an attacker to execute commands like starting telnetd, effectively gaining complete control over the device. This poses a significant risk to organizations using vulnerable Anviz CX2 Lite devices for access control or time attendance, potentially leading to unauthorized access, data breaches, or denial-of-service conditions. The ICS-CERT advisory, ICSA-26-106-03, provides additional details.

Attack Chain

1. An attacker gains valid credentials for an Anviz CX2 Lite device.
2. The attacker authenticates to the device’s web interface or API.
3. The attacker identifies the vulnerable filename parameter in a specific request.
4. The attacker crafts a malicious request containing a command injection payload within the filename parameter (e.g., filename=;telnetd -p 1337 -l /bin/sh;).
5. The Anviz CX2 Lite device processes the request, improperly sanitizing the filename parameter.
6. The injected command executes with root privileges on the device.
7. The attacker uses the executed command to start a service like telnetd.
8. The attacker connects to the newly started service, gaining a root shell and complete control of the device.

Impact

Successful exploitation of CVE-2026-35682 allows a remote attacker to gain root-level access to the Anviz CX2 Lite device. This can lead to complete system compromise, including unauthorized access to sensitive data, modification of device settings, and potential use of the device as a foothold for further attacks within the network. Given that these devices are often used for physical access control, this vulnerability could lead to unauthorized physical access to secured areas.

Recommendation

• Apply available patches or firmware updates from Anviz to remediate CVE-2026-35682. Contact Anviz directly through their website for support and remediation steps (https://www.anviz.com/contact-us.html).
• Deploy the Sigma rule Detect Anviz CX2 Lite Command Injection Attempt to identify exploitation attempts against the device.
• Monitor web server logs for suspicious requests containing command injection payloads in the filename parameter to identify potential exploitation attempts.
• Review authentication logs for unauthorized access attempts to the Anviz CX2 Lite devices.

]]>criticaladvisorycommand-injectionunauthorized-accessiothttps://feed.craftedsignal.io/briefs/2026-04-anviz-rce/Fri, 17 Apr 2026 20:16:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-anviz-rce/Anviz CX2 Lite and CX7 devices are vulnerable to unverified update packages that allow for unauthenticated remote code execution by unpacking and executing a malicious script.The Anviz CX2 Lite and CX7 devices are susceptible to a critical vulnerability (CVE-2026-40066) stemming from the lack of integrity checks on update packages. An attacker can upload a crafted update package to the device. The vulnerable devices then unpack the contents of this package and execute a script without proper authentication or verification. This leads to unauthenticated remote code execution, potentially allowing the attacker to gain complete control over the compromised device. The vulnerability was reported by ICS-CERT and assigned a CVSS v3.1 base score of 8.8, indicating a high severity. Successful exploitation of this vulnerability allows an attacker to perform any action on the device, including stealing data, installing malware, or using the device as a foothold for further attacks on the network.

Attack Chain

1. Attacker identifies an Anviz CX2 Lite or CX7 device accessible on the network.
2. Attacker crafts a malicious update package containing a script designed for remote code execution.
3. The attacker uploads the malicious update package to the device’s update interface. Due to the vulnerability, this upload may not require authentication.
4. The device unpacks the contents of the update package, including the malicious script.
5. The device executes the script without proper verification or sanitization.
6. The malicious script executes arbitrary commands on the device.
7. The attacker gains remote shell access to the device.
8. The attacker leverages the compromised device to move laterally within the network or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-40066 results in unauthenticated remote code execution on the affected Anviz CX2 Lite and CX7 devices. This can lead to complete compromise of the device, allowing attackers to steal sensitive data, install malware, or use the device as a pivot point to gain access to other systems on the network. Given the potential for widespread deployment of these devices in various sectors, the impact could be significant, affecting many organizations.

Recommendation

• Apply any available patches or updates from Anviz to address CVE-2026-40066.
• Monitor network traffic for suspicious activity related to Anviz devices attempting to download or install update packages, and deploy the network connection rule below.
• Implement network segmentation to limit the potential impact of a compromised Anviz device on other systems.
• Monitor process creation on Anviz devices for unusual or unexpected processes, and deploy the process creation rule below.

]]>criticaladvisorycve-2026-40066rceiothttps://feed.craftedsignal.io/briefs/2026-04-totolink-a800r-buffer-overflow/Mon, 13 Apr 2026 04:26:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-totolink-a800r-buffer-overflow/A remote buffer overflow vulnerability exists in the Totolink A800R router version 4.1.2cu.5137_B20200730, allowing unauthenticated attackers to potentially execute arbitrary code by overflowing the apcliSsid argument in the setAppEasyWizardConfig function within the /lib/cste_modules/app.so library.A critical buffer overflow vulnerability, identified as CVE-2026-6157, has been discovered in Totolink A800R routers running firmware version 4.1.2cu.5137_B20200730. The vulnerability resides within the setAppEasyWizardConfig function in the /lib/cste_modules/app.so library. Successful exploitation allows remote attackers to potentially execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers are often the perimeter defense for networks making them lucrative targets.

Attack Chain

1. The attacker identifies a vulnerable Totolink A800R router with firmware version 4.1.2cu.5137_B20200730 exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the setAppEasyWizardConfig function.
3. The malicious request includes an overly long string as the value for the apcliSsid argument.
4. The router receives the HTTP request and passes the apcliSsid argument to the setAppEasyWizardConfig function.
5. The setAppEasyWizardConfig function copies the contents of apcliSsid into a fixed-size buffer without proper bounds checking.
6. The overly long apcliSsid string overflows the buffer, overwriting adjacent memory locations.
7. The attacker carefully crafts the overflowed data to overwrite the return address of the function.
8. When the function returns, control is transferred to the attacker’s code, leading to arbitrary code execution. This could lead to the installation of malware or complete control of the device.

Impact

Successful exploitation of this buffer overflow vulnerability grants the attacker the ability to execute arbitrary code on the affected Totolink A800R router. This can result in complete compromise of the device, enabling the attacker to intercept network traffic, modify router settings, or use the router as a launching point for further attacks within the network. Given the availability of public exploits, a large number of devices could be vulnerable, making this a high-impact threat.

Recommendation

• Apply any available firmware updates from Totolink to patch CVE-2026-6157.
• Monitor network traffic for suspicious HTTP requests targeting the setAppEasyWizardConfig function, as described in the attack chain. Deploy the provided Sigma rule to detect potential exploitation attempts.
• Implement network segmentation to limit the impact of a compromised router.
• If updates are unavailable, consider replacing the vulnerable device.
• Disable remote management access to the router to reduce the attack surface.

]]>criticaladvisorycve-2026-6157buffer-overflowrouteriothttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-bo/Sun, 12 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-bo/A remote stack-based buffer overflow vulnerability exists in the fromDhcpListClient function of the /goform/DhcpListClient component (httpd) within Tenda F451 firmware version 1.0.0.7, triggered by manipulating the 'page' argument, potentially allowing for arbitrary code execution.A stack-based buffer overflow vulnerability has been identified in Tenda F451 router firmware version 1.0.0.7. The vulnerability resides in the fromDhcpListClient function within the /goform/DhcpListClient component’s httpd service. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious page argument. This can lead to arbitrary code execution on the device. Given the public availability of the exploit (CVE-2026-6120), Tenda F451 routers are at immediate risk of compromise if not properly secured. This vulnerability poses a significant threat due to the widespread use of Tenda routers in home and small office environments.

Attack Chain

1. Attacker identifies a Tenda F451 router running vulnerable firmware version 1.0.0.7.
2. The attacker crafts a malicious HTTP GET or POST request targeting the /goform/DhcpListClient endpoint.
3. The crafted request includes a page argument with a string exceeding the buffer size allocated for it in the fromDhcpListClient function.
4. The httpd service on the router receives the malicious request and passes the page argument to the vulnerable function.
5. The fromDhcpListClient function attempts to copy the oversized page argument into a fixed-size buffer on the stack, causing a buffer overflow.
6. The overflow overwrites adjacent stack memory, including the return address of the function.
7. The attacker controls the overwritten return address, redirecting execution to attacker-controlled code or a ROP chain.
8. The attacker gains arbitrary code execution on the router, potentially leading to complete device compromise and network access.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda F451 router. This allows attackers to control the device, intercept network traffic, change DNS settings, inject malicious scripts into web pages served to connected devices, or use the router as a pivot point for further attacks within the network. This vulnerability affects all users of the Tenda F451 router running firmware version 1.0.0.7, potentially impacting thousands of devices globally. Given the high CVSS score of 8.8, the risk is substantial.

Recommendation

• Monitor web server logs for suspicious requests targeting the /goform/DhcpListClient endpoint, especially those with unusually long page parameters (refer to the rule Tenda F451 Suspicious URI Length).
• Inspect network traffic for abnormal patterns related to compromised routers (unusual DNS requests, connections to known malicious IPs).
• Implement rate limiting and input validation on web server endpoints where possible to mitigate buffer overflow attempts.
• Apply any available firmware updates from Tenda to patch CVE-2026-6120, although patches may not be available.
• Consider deploying network intrusion detection systems (NIDS) to identify and block exploitation attempts (refer to the Tenda F451 Buffer Overflow Attempt rule).

]]>criticaladvisorytendarouterbuffer-overflowcve-2026-6120iothttps://feed.craftedsignal.io/briefs/2024-01-iot-ddos-disruption/Fri, 20 Mar 2026 05:50:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-iot-ddos-disruption/Law enforcement has disrupted significant IoT botnets responsible for launching record-breaking distributed denial-of-service (DDoS) attacks, impacting the availability of targeted systems.Authorities have dismantled a globally distributed network of compromised Internet of Things (IoT) devices that were being leveraged to conduct large-scale DDoS attacks. The botnets consisted of a large number of IoT devices. These attacks overwhelmed target systems, rendering them inaccessible. While the specific devices, malware, and attribution remain undisclosed in the provided source, the disruption of these botnets is a significant event for defenders, as it reduces the overall capacity for attackers to launch extremely large DDoS attacks. The botnets were responsible for record-breaking attacks.

Attack Chain

1. Compromise IoT Devices: Attackers exploit vulnerabilities (e.g., default credentials, unpatched firmware) on IoT devices such as routers, cameras, and DVRs.
2. Install Malware: Malicious software specifically designed for the IoT architecture is installed on the compromised devices.
3. Botnet Formation: The malware turns the IoT devices into bots, which are controlled remotely by a command-and-control (C2) server.
4. C2 Communication: The bots maintain persistent communication with the C2 server, awaiting instructions for launching attacks.
5. DDoS Attack Initiation: The C2 server issues commands to the bots, instructing them to flood a target system with malicious traffic.
6. Traffic Amplification: The bots, now acting in unison, send high volumes of traffic to the target, overwhelming its resources.
7. Service Disruption: The target system becomes unavailable to legitimate users due to the sheer volume of malicious traffic.
8. Impact: Disruption of services for targeted organizations, potentially leading to financial losses and reputational damage.

Impact

The DDoS attacks launched by these IoT botnets caused significant service disruptions for targeted organizations. The scope of the attacks was described as “record-breaking”, suggesting a large number of victims and potential financial losses. Sectors affected are not detailed in the source, but DDoS attacks can impact any organization with an online presence. Successful attacks lead to website and application unavailability, impacting business operations and customer access.

Recommendation

• Monitor network traffic for unusual spikes in volume and traffic patterns indicative of DDoS attacks.
• Implement rate limiting and traffic filtering on network infrastructure to mitigate the impact of DDoS attacks.
• Although no specific IOCs are available, investigate any alerts related to high-volume network traffic originating from internal devices.
• Enable logging on network devices to capture potential indicators of compromise and attack activity.

]]>highadvisoryiotddosbotnetdisruptionhttps://feed.craftedsignal.io/briefs/2026-03-mirai-c2-dos/Mon, 16 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-mirai-c2-dos/CVE-2024-45163 is a remote denial-of-service vulnerability affecting Mirai command and control (C2) infrastructure, potentially disrupting botnet operations and related malicious activities.<p>CVE-2024-45163 describes a remote denial-of-service vulnerability present within Mirai C2 infrastructure. While specific details regarding the vulnerability itself are not provided in this brief, the existence of a publicly known vulnerability in Mirai C2 servers is significant. Mirai is a well-known IoT botnet that has been used in numerous large-scale DDoS attacks. Exploitation of this vulnerability could allow attackers to disrupt Mirai botnet operations, potentially mitigating ongoing…</p> highadvisorycve-2024-45163miraidosiot