https://feed.craftedsignal.io/tags/router/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 10:16:01 +0000https://feed.craftedsignal.io/briefs/2026-05-totolink-n300rh-buffer-overflow/Mon, 04 May 2026 10:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-totolink-n300rh-buffer-overflow/A buffer overflow vulnerability exists in Totolink N300RH version 3.2.4-B20220812, specifically affecting the setWanConfig function within the /cgi-bin/cstecgi.cgi file, allowing a remote attacker to exploit it by manipulating the priDns argument in a POST request.A buffer overflow vulnerability has been identified in Totolink N300RH router version 3.2.4-B20220812. The vulnerability resides in the setWanConfig function within the /cgi-bin/cstecgi.cgi file, which handles POST requests. An attacker can exploit this vulnerability by manipulating the priDns argument in a crafted POST request. The vulnerability allows for remote exploitation, meaning an attacker does not need local access to the device. Public exploits for this vulnerability are already available, increasing the risk of exploitation. This vulnerability was published on 2026-05-04.

Attack Chain

1. The attacker identifies a vulnerable Totolink N300RH router running firmware version 3.2.4-B20220812.
2. The attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
3. Within the POST request, the attacker includes the priDns argument with a value exceeding the buffer size.
4. The setWanConfig function processes the priDns argument without proper bounds checking.
5. The oversized priDns value overwrites adjacent memory on the stack, potentially including control flow data.
6. The attacker gains control of the program execution flow by overwriting the return address.
7. The attacker executes arbitrary code on the router, potentially gaining a shell.
8. The attacker could then use the compromised router to perform lateral movement, exfiltrate data, or establish a persistent backdoor.

Impact

Successful exploitation of this buffer overflow vulnerability can lead to complete compromise of the Totolink N300RH router. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the router as a pivot point to attack other devices on the network. Given that public exploits are available, a wide range of attackers could potentially exploit this vulnerability. The CVSS v3.1 base score is 8.8 (HIGH).

Recommendation

• Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with abnormally long priDns values to detect potential exploitation attempts using the provided Sigma rule.
• Implement network intrusion detection system (NIDS) rules to detect and block malicious POST requests targeting /cgi-bin/cstecgi.cgi.
• Contact Totolink for a security patch or firmware update to address CVE-2026-7749.

]]>highadvisorybuffer-overflowroutercve-2026-7749https://feed.craftedsignal.io/briefs/2026-05-totolink-buffer-overflow/Mon, 04 May 2026 10:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-totolink-buffer-overflow/A buffer overflow vulnerability exists in Totolink N300RH 3.2.4-B20220812 allowing remote attackers to execute arbitrary code by manipulating the mac_address argument in the setMacFilterRules function of the /cgi-bin/cstecgi.cgi POST request handler.A buffer overflow vulnerability, identified as CVE-2026-7750, affects Totolink N300RH router version 3.2.4-B20220812. The vulnerability resides in the setMacFilterRules function within the /cgi-bin/cstecgi.cgi file, which handles POST requests. Attackers can exploit this flaw by sending a specially crafted POST request with an overly long mac_address parameter, triggering a buffer overflow. Successful exploitation allows for arbitrary code execution on the device. The vulnerability is remotely exploitable, and a public exploit is available, increasing the risk of widespread attacks. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise of affected devices.

Attack Chain

1. The attacker identifies a vulnerable Totolink N300RH router running firmware version 3.2.4-B20220812.
2. The attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
3. Within the POST request, the attacker includes the mac_address parameter, injecting a string longer than the buffer allocated for it.
4. The setMacFilterRules function processes the POST request without proper bounds checking on the mac_address argument.
5. The overly long mac_address value overflows the buffer, overwriting adjacent memory regions.
6. The attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow to attacker-controlled code.
7. The injected code executes with the privileges of the web server, allowing the attacker to execute arbitrary commands.
8. The attacker gains complete control over the router, potentially using it for further malicious activities such as network pivoting, data exfiltration, or denial-of-service attacks.

Impact

Successful exploitation of CVE-2026-7750 allows a remote attacker to execute arbitrary code on the vulnerable Totolink N300RH device. This could lead to a complete compromise of the router, allowing the attacker to control network traffic, steal sensitive information, or use the router as a bot in a larger attack. Given the public availability of the exploit, a large number of unpatched devices could be vulnerable to automated attacks, potentially impacting thousands of users.

Recommendation

• Apply available patches or firmware updates provided by Totolink to address CVE-2026-7750.
• Implement network intrusion detection system (IDS) rules to detect and block suspicious POST requests targeting the /cgi-bin/cstecgi.cgi endpoint with excessively long mac_address parameters.
• Deploy the Sigma rules in this brief to your SIEM to detect exploitation attempts.
• Monitor web server logs for unusual POST requests to /cgi-bin/cstecgi.cgi, focusing on requests with large mac_address values.

]]>criticaladvisorybuffer-overflowroutercvewebserverhttps://feed.craftedsignal.io/briefs/2026-05-totolink-wa300-buffer-overflow/Mon, 04 May 2026 01:16:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-totolink-wa300-buffer-overflow/A remote buffer overflow vulnerability exists in the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file in the POST Request Handler component of Totolink WA300 version 5.2cu.7112_B20190227, which can be exploited by manipulating the File argument.A buffer overflow vulnerability has been identified in Totolink WA300 wireless router, specifically version 5.2cu.7112_B20190227. The vulnerability resides within the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file, a component of the POST Request Handler. The identified vulnerability allows a remote attacker to cause a buffer overflow through manipulation of the File argument within a crafted POST request. Public proof-of-concept exploit code is available, increasing the likelihood of exploitation. This vulnerability poses a significant risk, as successful exploitation could lead to arbitrary code execution, potentially allowing attackers to fully compromise affected devices. Defenders should prioritize detection and mitigation strategies to prevent exploitation.

Attack Chain

1. Attacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.
2. Attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
3. The POST request includes a File argument with a payload exceeding the buffer size allocated for the UploadCustomModule function.
4. The UploadCustomModule function processes the POST request without proper bounds checking on the File argument.
5. The oversized File argument overwrites adjacent memory regions, including potentially critical program data and control flow instructions.
6. The buffer overflow allows the attacker to inject and execute arbitrary code on the device.
7. The attacker gains remote shell access to the device with elevated privileges.
8. The attacker could then use the compromised device to pivot into the internal network or cause a denial-of-service condition.

Impact

Successful exploitation of this buffer overflow vulnerability can lead to complete compromise of the affected Totolink WA300 device. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the device as a bot in a larger attack. Given the high CVSS score of 8.8, the impact is considered critical. Home and small business networks using the affected router model are at risk. The vulnerability allows for remote code execution, leading to significant potential for damage.

Recommendation

• Deploy the Sigma rule Detect Totolink WA300 UploadCustomModule Buffer Overflow Attempt to detect malicious POST requests targeting the vulnerable endpoint.
• Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually large File parameters, as indicated in the Sigma rule.
• Apply any available firmware updates from Totolink to patch CVE-2026-7717 if they become available.
• Implement network segmentation to limit the impact of a compromised router on other internal network resources.

]]>criticalthreatbuffer-overflowremote-code-executionrouterhttps://feed.craftedsignal.io/briefs/2026-05-edimax-bo/Sun, 03 May 2026 07:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-edimax-bo/A buffer overflow vulnerability exists in Edimax BR-6208AC devices (<= 1.02) via manipulation of the pptpDfGateway argument in the /goform/setWAN endpoint, potentially allowing remote attackers to execute arbitrary code.A buffer overflow vulnerability, CVE-2026-7685, has been identified in Edimax BR-6208AC routers up to version 1.02. The vulnerability resides within the /goform/setWAN file, specifically related to the pptpDfGateway argument. Successful exploitation of this flaw could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but has not responded. Given the ease of exploitation and the potential for significant impact, this vulnerability poses a critical threat to affected devices.

Attack Chain

1. Attacker identifies an Edimax BR-6208AC router with firmware version 1.02 or earlier exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/setWAN endpoint.
3. Within the POST request, the attacker includes the pptpDfGateway argument, injecting a payload exceeding the buffer’s expected size.
4. The router’s web server processes the malicious request without proper input validation on the size of the pptpDfGateway argument.
5. The oversized payload overwrites adjacent memory regions on the stack, potentially including return addresses or other critical data.
6. When the function attempts to return, it jumps to an address controlled by the attacker, leading to arbitrary code execution.
7. The attacker executes commands to gain control of the device, potentially installing malware or modifying router settings.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Edimax BR-6208AC router. An attacker could leverage this access to perform a variety of malicious activities, including eavesdropping on network traffic, injecting malicious code into web pages served by the router, or using the router as a bot in a larger botnet. Given the availability of public exploits, unpatched devices are at immediate risk of compromise.

Recommendation

• Deploy the Sigma rule Detect Edimax BR-6208AC setWAN Buffer Overflow Attempt to identify exploitation attempts in web server logs.
• Inspect web server logs for POST requests to /goform/setWAN containing unusually long pptpDfGateway parameters, as detected by the Sigma rule Detect Long pptpDfGateway Parameter.
• Apply appropriate network segmentation to limit the blast radius of compromised devices and prevent lateral movement.

]]>criticaladvisorybuffer overflowcve-2026-7685routerwebserverhttps://feed.craftedsignal.io/briefs/2026-05-totolink-rce/Fri, 01 May 2026 03:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-totolink-rce/A stack-based buffer overflow vulnerability (CVE-2026-7546) in the Totolink NR1800X router allows remote attackers to achieve arbitrary code execution by sending a crafted HTTP request with a manipulated Host header to the vulnerable lighttpd component.A critical security vulnerability, CVE-2026-7546, affects Totolink NR1800X routers running firmware version 9.1.0u.6279_B20210910. The vulnerability resides within the find_host_ip function of the lighttpd web server component. By exploiting this flaw, a remote, unauthenticated attacker can trigger a stack-based buffer overflow through manipulation of the Host argument in an HTTP request. The publicly disclosed exploit allows attackers to potentially gain complete control of the device. This vulnerability poses a significant risk to home and small business networks utilizing the affected Totolink router model, as successful exploitation leads to arbitrary code execution.

Attack Chain

1. The attacker identifies a vulnerable Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910.
2. The attacker crafts a malicious HTTP request targeting the router’s web interface.
3. The crafted request includes a Host header with a string exceeding the buffer size allocated in the find_host_ip function within the lighttpd component.
4. The router’s lighttpd server processes the HTTP request and passes the Host header value to the vulnerable function.
5. The find_host_ip function attempts to store the oversized Host value in a stack-allocated buffer.
6. A stack-based buffer overflow occurs due to the insufficient buffer size.
7. The overflow overwrites adjacent memory on the stack, potentially including the return address.
8. The attacker gains arbitrary code execution on the device.

Impact

Successful exploitation of CVE-2026-7546 allows a remote attacker to execute arbitrary code on the vulnerable Totolink NR1800X device. This can lead to complete control of the router, allowing the attacker to modify router settings, intercept network traffic, or use the compromised router as a pivot point for further attacks within the network. Given the nature of stack-based buffer overflows, the attacker can potentially install persistent backdoors or malware. This presents a significant risk to users, potentially exposing sensitive data and infrastructure to unauthorized access.

Recommendation

• Apply available patches released by Totolink to remediate CVE-2026-7546.
• Monitor network traffic for suspicious HTTP requests targeting Totolink routers, specifically looking for abnormally long Host headers with the Sigma rule “Detect Suspiciously Long Host Header”.
• Implement network segmentation to limit the impact of a compromised router.
• Review and harden router configurations, including disabling remote administration if not required.

]]>criticaladvisorycveremote code executionbuffer overflowrouterhttps://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/Fri, 01 May 2026 03:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/A command injection vulnerability exists in Totolink NR1800X version 9.1.0u.6279_B20210910, affecting the function sub_41A68C of the file /cgi-bin/cstecgi.cgi; by manipulating the argument setUssd, a remote attacker can inject commands, and an exploit is publicly available.A command injection vulnerability, identified as CVE-2026-7548, affects Totolink NR1800X router version 9.1.0u.6279_B20210910. The vulnerability resides within the sub_41A68C function of the /cgi-bin/cstecgi.cgi file. By manipulating the setUssd argument, a remote attacker can inject arbitrary commands into the system. Publicly available exploit code makes exploitation easier. This vulnerability poses a significant risk as it allows unauthenticated remote attackers to execute arbitrary commands on the affected device, potentially leading to full system compromise.

Attack Chain

1. The attacker identifies a vulnerable Totolink NR1800X device running firmware version 9.1.0u.6279_B20210910.
2. The attacker sends a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint.
3. The HTTP request includes the setUssd argument with a malicious payload designed to inject a command.
4. The sub_41A68C function processes the setUssd argument without proper sanitization.
5. The injected command is executed by the system with the privileges of the web server process.
6. The attacker gains initial access and can execute arbitrary commands on the device.
7. The attacker may then use the command execution to escalate privileges, install malware, or pivot to other devices on the network.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected Totolink NR1800X router. This could lead to complete compromise of the device, allowing the attacker to control network traffic, modify router settings, or use the router as a pivot point to attack other devices on the network. Given the wide usage of Totolink routers, a large number of devices could be vulnerable.

Recommendation

• Monitor web server logs for requests to /cgi-bin/cstecgi.cgi containing suspicious characters or command injection attempts in the setUssd parameter, using the Sigma rule provided below.
• Implement rate limiting on the /cgi-bin/cstecgi.cgi endpoint to mitigate brute-force exploitation attempts.
• Apply available patches provided by Totolink to address the CVE-2026-7548 vulnerability.
• Deploy the Sigma rule to your SIEM and tune for your environment.

]]>criticaladvisorycommand-injectionrouternetworkhttps://feed.craftedsignal.io/briefs/2026-05-utt-hiper-buffer-overflow/Fri, 01 May 2026 00:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-utt-hiper-buffer-overflow/A buffer overflow vulnerability exists in UTT HiPER 1200GW devices up to version 2.5.3-170306, stemming from manipulation of the `strcpy` function in the `/goform/formRemoteControl` file, which allows remote attackers to execute arbitrary code.A buffer overflow vulnerability has been identified in UTT HiPER 1200GW devices with firmware versions up to 2.5.3-170306. The flaw resides within the strcpy function of the /goform/formRemoteControl file, which handles remote control functionalities. A remote attacker can exploit this vulnerability by sending a specially crafted request to trigger the buffer overflow, potentially leading to arbitrary code execution on the affected device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using the affected UTT HiPER 1200GW devices, as it could allow attackers to gain unauthorized access and control over the device and potentially the network it is connected to.

Attack Chain

1. Attacker identifies a vulnerable UTT HiPER 1200GW device exposed to the internet.
2. Attacker crafts a malicious HTTP request targeting the /goform/formRemoteControl endpoint.
3. The malicious request includes a payload designed to overflow the buffer when processed by the strcpy function.
4. The vulnerable strcpy function within /goform/formRemoteControl copies the attacker-controlled data without proper bounds checking.
5. The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
6. The attacker leverages the overflow to inject and execute arbitrary code on the device.
7. The attacker gains control of the device, potentially escalating privileges.
8. The attacker uses the compromised device to pivot to other systems on the network, exfiltrate sensitive data, or cause further damage.

Impact

Successful exploitation of this vulnerability could lead to complete compromise of the affected UTT HiPER 1200GW device. Attackers could gain unauthorized access to sensitive data, disrupt device functionality, or use the device as a foothold for further attacks within the network. Given that public exploits are available, the risk of widespread exploitation is high. While the exact number of affected devices is unknown, organizations using UTT HiPER 1200GW devices should take immediate action to mitigate this vulnerability.

Recommendation

• Apply available patches or firmware updates from UTT to address the buffer overflow vulnerability in UTT HiPER 1200GW devices.
• Monitor network traffic for suspicious requests targeting the /goform/formRemoteControl endpoint, and deploy the Sigma rule Detect Suspicious Requests to FormRemoteControl to identify potentially malicious activity.
• Implement input validation and sanitization measures to prevent buffer overflows in web applications.
• Consider network segmentation to limit the impact of a compromised device on other systems within the network.
• Review and restrict access to the device’s web interface to only authorized personnel.

]]>criticalthreatbuffer-overflowiotroutercvehttps://feed.craftedsignal.io/briefs/2026-04-tenda-stack-overflow/Thu, 30 Apr 2026 03:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-stack-overflow/A remote stack-based buffer overflow vulnerability exists in the Tenda 4G300 router, version US_4G300V1.0Mt_V1.01.42_CN_TDC01, allowing an attacker to potentially execute arbitrary code by manipulating the 'page' argument to the sub_427C3C function in the /goform/SafeMacFilter file.A stack-based buffer overflow vulnerability has been identified in Tenda 4G300 routers, specifically version US_4G300V1.0Mt_V1.01.42_CN_TDC01. The vulnerability resides within the sub_427C3C function located in the /goform/SafeMacFilter file. An attacker can exploit this flaw by manipulating the page argument in a crafted request, leading to a buffer overflow and potentially allowing for arbitrary code execution on the affected device. The vulnerability, identified as CVE-2026-7470, poses a significant risk as remote exploitation is possible, and a proof-of-concept exploit is publicly available, increasing the likelihood of malicious actors leveraging this vulnerability.

Attack Chain

1. The attacker identifies a Tenda 4G300 router running the vulnerable firmware version US_4G300V1.0Mt_V1.01.42_CN_TDC01.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/SafeMacFilter endpoint.
3. The crafted request includes the page argument with a payload exceeding the buffer size allocated for it within the sub_427C3C function.
4. The router processes the HTTP request, passing the oversized page argument to the vulnerable function.
5. The sub_427C3C function attempts to write the oversized data into a stack-based buffer, causing a buffer overflow.
6. The buffer overflow overwrites adjacent memory on the stack, including the return address.
7. The attacker redirects execution flow to a malicious code payload injected into the request or elsewhere in memory.
8. The injected code executes with the privileges of the router process, potentially allowing the attacker to gain full control of the device.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda 4G300 router. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the router as a launching point for further attacks against other devices on the network or the internet. Given the widespread use of these routers in homes and small businesses, a successful attack could impact a large number of users.

Recommendation

• Monitor web server logs for unusual POST requests to /goform/SafeMacFilter with abnormally long page parameters. Use the provided Sigma rule to detect suspicious activity.
• Implement rate limiting on the /goform/SafeMacFilter endpoint to mitigate potential brute-force exploitation attempts.
• Apply any available patches or firmware updates released by Tenda to address CVE-2026-7470.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

]]>criticaladvisorybuffer-overflowtendaroutercve-2026-7470https://feed.craftedsignal.io/briefs/2026-04-dlink-buffer-overflow/Tue, 28 Apr 2026 15:16:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-buffer-overflow/D-Link DIR-825M version 1.1.12 is vulnerable to a buffer overflow via manipulation of the submit-url argument in the /boafrm/formWanConfigSetup file's sub_414BA8 function, allowing a remote attacker to execute arbitrary code.A buffer overflow vulnerability exists in D-Link DIR-825M router version 1.1.12. The vulnerability is located within the sub_414BA8 function of the /boafrm/formWanConfigSetup file. An attacker can exploit this flaw by manipulating the submit-url argument, leading to arbitrary code execution on the device. This vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available, increasing the risk of widespread attacks. Exploitation does not require authentication by default, and could allow an attacker to gain complete control over the device. This poses a significant threat to home and small business networks relying on this router model.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-825M router running firmware version 1.1.12.
2. The attacker crafts a malicious HTTP POST request targeting the /boafrm/formWanConfigSetup endpoint.
3. The attacker includes the submit-url argument in the POST request, injecting a buffer overflow payload.
4. The crafted payload overflows the buffer in the sub_414BA8 function during the processing of the submit-url argument.
5. The buffer overflow overwrites critical memory regions, including the return address.
6. When the sub_414BA8 function returns, control is redirected to the attacker-controlled address.
7. The attacker’s payload executes arbitrary code, potentially downloading and executing a secondary payload.
8. The attacker gains remote shell access to the router.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the D-Link DIR-825M router. This can lead to complete compromise of the device, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the router as a botnet node for further malicious activities. Given the widespread use of D-Link routers in home and small business networks, a successful attack could compromise a large number of devices and networks.

Recommendation

• Apply available firmware updates from D-Link to patch CVE-2026-7289.
• Deploy the following Sigma rule to detect suspicious POST requests to /boafrm/formWanConfigSetup with overly long submit-url parameters.
• Monitor web server logs for suspicious activity related to the /boafrm/formWanConfigSetup endpoint.

]]>criticaladvisorybuffer-overflowrouterdlinkcvehttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-overflow/Tue, 28 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-overflow/A stack-based buffer overflow vulnerability in the formUploadConfig function of Tenda HG3 v2.0's /boaform/formIPv6Routing file allows remote attackers to execute arbitrary code by manipulating the destNet argument.A stack-based buffer overflow vulnerability has been identified in Tenda HG3 version 2.0. The vulnerability exists within the formUploadConfig function of the /boaform/formIPv6Routing file. A remote attacker can exploit this by manipulating the destNet argument, potentially leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-7151, has a publicly available exploit, increasing the risk of exploitation. This poses a significant threat to users of Tenda HG3 v2.0 routers, potentially allowing attackers to gain unauthorized access and control over the device. The CVSS v3.1 score is rated as 8.8 (HIGH).

Attack Chain

1. Attacker identifies a Tenda HG3 v2.0 router with default or known credentials, or no authentication at all.
2. The attacker sends a crafted HTTP POST request to /boaform/formIPv6Routing.
3. The request targets the formUploadConfig function.
4. The destNet argument within the HTTP POST data is manipulated with a string exceeding the buffer size.
5. The formUploadConfig function processes the oversized destNet argument without proper bounds checking.
6. This causes a stack-based buffer overflow, overwriting adjacent memory regions on the stack.
7. The attacker gains arbitrary code execution on the device by overwriting the return address or other critical data on the stack.
8. The attacker can then leverage this to gain full control of the device, potentially modifying settings, injecting malware, or using it as part of a botnet.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda HG3 v2.0 router. This could lead to complete compromise of the device, allowing the attacker to monitor network traffic, change router settings, or use the device as a launchpad for further attacks against other devices on the network. Given the potential for widespread exploitation due to the publicly available exploit, a large number of Tenda HG3 v2.0 users are at risk.

Recommendation

• Monitor web server logs for unusual POST requests to /boaform/formIPv6Routing with excessively long destNet parameters to detect potential exploit attempts (see example Sigma rule below).
• Implement rate limiting for requests to /boaform/formIPv6Routing to mitigate brute-force exploitation attempts.
• Apply available patches or firmware updates from Tenda to address CVE-2026-7151 on vulnerable HG3 2.0 devices.
• Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting the destNet parameter in /boaform/formIPv6Routing.

]]>criticaladvisorycve-2026-7151buffer-overflowtendarouterhttps://feed.craftedsignal.io/briefs/2026-04-totolink-rce/Tue, 28 Apr 2026 09:17:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-totolink-rce/Totolink A8000RU version 7.1cu.643_b20200521 is vulnerable to OS command injection via manipulation of the `wifiOff` argument in the `setWiFiBasicCfg` function of the `/cgi-bin/cstecgi.cgi` CGI handler, allowing a remote attacker to execute arbitrary commands on the system.A critical vulnerability, CVE-2026-7241, has been identified in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This vulnerability resides within the CGI Handler component, specifically in the setWiFiBasicCfg function of the /cgi-bin/cstecgi.cgi file. Successful exploitation allows a remote attacker to inject and execute arbitrary operating system commands by manipulating the wifiOff argument. The vulnerability has been publicly disclosed, increasing the risk of exploitation. This poses a significant threat to users of the affected router model, potentially leading to complete system compromise.

Attack Chain

1. The attacker identifies a Totolink A8000RU router running firmware version 7.1cu.643_b20200521.
2. The attacker sends a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint.
3. The HTTP request targets the setWiFiBasicCfg function.
4. The attacker injects malicious OS commands into the wifiOff argument of the HTTP request.
5. The CGI handler processes the request without proper sanitization of the wifiOff argument.
6. The injected OS commands are executed by the system with the privileges of the web server.
7. The attacker gains remote shell access or performs other malicious actions, such as modifying router settings.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary operating system commands on the affected Totolink A8000RU router. This can lead to complete compromise of the device, potentially enabling the attacker to eavesdrop on network traffic, modify router configuration, or use the router as a node in a botnet. Given the widespread use of Totolink routers, a successful attack could impact numerous home and small business networks.

Recommendation

• Deploy the Sigma rule “Detect Totolink A8000RU Command Injection Attempt” to your SIEM to identify exploitation attempts targeting the vulnerable endpoint.
• Apply the Sigma rule “Detect Suspicious CGI Request Arguments” to identify unusual commands in cgi requests.
• Monitor web server logs for requests to /cgi-bin/cstecgi.cgi with suspicious characters or commands in the wifiOff parameter, as this is the attack vector described in CVE-2026-7241.

]]>criticaladvisorycve-2026-7241command-injectionrouterhttps://feed.craftedsignal.io/briefs/2026-04-dlink-di-8100-bo/Tue, 28 Apr 2026 09:16:18 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-di-8100-bo/A buffer overflow vulnerability in the D-Link DI-8100 router allows remote attackers to execute arbitrary code by manipulating the 'fn' argument in the tgfile_htm function of the CGI endpoint.A critical buffer overflow vulnerability, identified as CVE-2026-7248, affects the D-Link DI-8100 router, specifically version 16.07.26A1. The vulnerability resides within the tgfile_htm function of the tgfile.htm file, a component of the CGI endpoint. By crafting a malicious request targeting the fn argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability is particularly concerning as a proof-of-concept exploit has been publicly released, increasing the likelihood of exploitation. Routers are often targeted due to their exposure to the internet and the potential to compromise entire networks.

Attack Chain

1. The attacker identifies a vulnerable D-Link DI-8100 router running firmware version 16.07.26A1.
2. The attacker crafts a malicious HTTP request targeting the tgfile.htm CGI endpoint.
3. The malicious request includes an overly long string in the fn argument.
4. The router’s web server processes the request and passes the fn argument to the tgfile_htm function.
5. The tgfile_htm function fails to properly validate the length of the fn argument.
6. A buffer overflow occurs when the overly long fn argument is copied into a fixed-size buffer.
7. The buffer overflow overwrites adjacent memory, potentially including return addresses or other critical data.
8. The attacker gains arbitrary code execution on the router, potentially allowing them to take full control of the device.

Impact

Successful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code on the D-Link DI-8100 router. This could lead to a complete compromise of the device, allowing the attacker to intercept network traffic, modify router settings, or use the router as a launchpad for further attacks against other devices on the network. Given the public availability of an exploit, widespread exploitation is possible, potentially affecting numerous home and small business networks.

Recommendation

• Monitor web server logs for abnormally long fn parameters in requests to /tgfile.htm using the provided Sigma rule to detect potential exploitation attempts.
• Implement rate limiting on HTTP requests to the router’s web interface to mitigate brute-force exploitation attempts.
• Since the source material only identifies a vulnerability, without a patch, consider replacing the affected device.

]]>criticaladvisorycve-2026-7248buffer-overflowd-linkrouterhttps://feed.craftedsignal.io/briefs/2026-04-totolink-cmd-injection/Tue, 28 Apr 2026 08:16:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-totolink-cmd-injection/CVE-2026-7240 is a critical OS command injection vulnerability in the Totolink A8000RU router that allows remote attackers to execute arbitrary commands by manipulating the 'User' argument in the 'setVpnAccountCfg' function.A critical vulnerability, CVE-2026-7240, has been identified in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This flaw resides within the CGI Handler component, specifically in the setVpnAccountCfg function of the /cgi-bin/cstecgi.cgi file. By exploiting this vulnerability, a remote attacker can inject arbitrary operating system commands by manipulating the User argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat as it allows complete control of the affected device, potentially leading to network compromise and data exfiltration.

Attack Chain

1. The attacker identifies a Totolink A8000RU router running firmware version 7.1cu.643_b20200521 accessible via the web interface.
2. The attacker crafts a malicious HTTP request targeting the /cgi-bin/cstecgi.cgi endpoint.
3. The crafted request includes the setVpnAccountCfg function call with a payload injected into the User argument. The payload contains OS commands to be executed on the router.
4. The router’s CGI Handler processes the request without proper sanitization of the User argument.
5. The injected OS commands are executed with the privileges of the web server process.
6. The attacker gains remote shell access to the router.
7. The attacker leverages the compromised router to pivot within the network, potentially accessing sensitive data or other internal systems.
8. The attacker could modify the router’s configuration, intercept network traffic, or use it as a launching point for further attacks.

Impact

Successful exploitation of CVE-2026-7240 allows a remote, unauthenticated attacker to execute arbitrary commands on the affected Totolink A8000RU router. This could lead to a complete compromise of the device, potentially exposing sensitive information, enabling unauthorized network access, and facilitating further attacks within the network. Given the ease of exploitation and the availability of public exploits, organizations using this router model are at high risk of experiencing significant security breaches.

Recommendation

• Deploy the Sigma rule Detect Totolink A8000RU Command Injection Attempt to identify exploitation attempts against vulnerable Totolink routers. Enable webserver logging to capture the necessary request data.
• Apply the Sigma rule Detect Totolink A8000RU Malicious User Agent to detect potential exploit attempts based on modified User-Agent headers.
• Monitor webserver logs for requests to /cgi-bin/cstecgi.cgi containing suspicious characters or command sequences in the cs-uri-query field, indicative of command injection attempts.
• Given the public availability of exploit code, organizations using the Totolink A8000RU 7.1cu.643_b20200521 are advised to replace the device if a patch is not available from the vendor.

]]>criticaladvisorycve-2026-7240command-injectiontotolinkroutercgihttps://feed.craftedsignal.io/briefs/2026-04-totolink-n300rt-bo/Tue, 28 Apr 2026 04:16:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-totolink-n300rt-bo/A remote buffer overflow vulnerability exists in Totolink N300RT 3.4.0-B20250430 via manipulation of the 'entry_name' argument in the /boafrm/formIpQoS file, potentially leading to arbitrary code execution.A buffer overflow vulnerability, identified as CVE-2026-7219, has been discovered in Totolink N300RT router firmware version 3.4.0-B20250430. The vulnerability resides within the /boafrm/formIpQoS file and is triggered by manipulating the entry_name argument. An attacker can exploit this flaw remotely to potentially execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to devices running the affected firmware, potentially allowing attackers to gain unauthorized access and control over the router.

Attack Chain

1. An attacker identifies a Totolink N300RT device running firmware version 3.4.0-B20250430.
2. The attacker crafts a malicious HTTP request targeting the /boafrm/formIpQoS file.
3. The crafted request includes a payload designed to overflow the buffer associated with the entry_name argument.
4. The router’s web server processes the malicious request, leading to a buffer overflow condition.
5. The attacker overwrites adjacent memory regions, potentially including return addresses or other critical data.
6. Upon function return, the overwritten return address is used, diverting execution flow to attacker-controlled code.
7. The attacker gains arbitrary code execution on the device.
8. The attacker can then use this access to modify router settings, intercept network traffic, or establish a persistent backdoor.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Totolink N300RT device. This could lead to complete compromise of the router, enabling attackers to monitor network traffic, change DNS settings, or use the device as part of a botnet. Given the number of Totolink N300RT devices deployed, this vulnerability could have a widespread impact, especially for home and small business users.

Recommendation

• Monitor web server logs for requests targeting /boafrm/formIpQoS with unusually long entry_name parameters to detect potential exploitation attempts. Implement the Sigma rule Detect Suspicious Totolink FormIpQoS Requests.
• Apply firmware updates as soon as they are released by Totolink to patch CVE-2026-7219.
• Implement network segmentation to limit the impact of a compromised router on other devices on the network.
• Consider using a web application firewall (WAF) to filter out malicious requests targeting the router’s web interface and activate the Detect Large POST Requests to Router Config Pages Sigma rule.

]]>highadvisorybuffer-overflowiotroutercve-2026-7219https://feed.craftedsignal.io/briefs/2026-04-tenda-f456-buffer-overflow/Mon, 27 Apr 2026 09:19:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-buffer-overflow/A buffer overflow vulnerability in Tenda F456 version 1.0.0.5 allows remote attackers to execute arbitrary code via a crafted request to the fromWrlclientSet function in the /goform/WrlclientSet file of the httpd component.A critical buffer overflow vulnerability, identified as CVE-2026-7101, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromWrlclientSet function within the /goform/WrlclientSet file, which is part of the router’s httpd component. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to home and small business networks using the affected Tenda router model, potentially leading to complete device compromise and unauthorized network access. The vulnerability was published on 2026-04-27 and is tracked by VulDB.

Attack Chain

1. An attacker identifies a vulnerable Tenda F456 router running firmware version 1.0.0.5.
2. The attacker crafts a malicious HTTP request targeting the /goform/WrlclientSet endpoint.
3. The crafted request includes an oversized payload designed to overflow the buffer in the fromWrlclientSet function.
4. The httpd process attempts to process the request without proper bounds checking.
5. The buffer overflow occurs, overwriting adjacent memory regions, including critical program data and execution pointers.
6. The attacker gains control of the program execution flow.
7. The attacker executes arbitrary code on the router, potentially including shell commands or custom malware.
8. The attacker achieves complete control of the router, potentially enabling network reconnaissance, data exfiltration, or further attacks on the local network.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda F456 router. This can lead to complete device compromise, allowing the attacker to control network traffic, modify router settings, or use the compromised device as a pivot point for further attacks within the network. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploitation could impact thousands of users.

Recommendation

• Upgrade to a patched firmware version if available from the vendor.
• Implement network segmentation to limit the impact of a compromised router.
• Monitor web server logs for suspicious activity targeting the /goform/WrlclientSet endpoint using the provided Sigma rule.
• Implement an IPS rule to detect and block exploit attempts targeting CVE-2026-7101.

]]>criticaladvisorycve-2026-7101buffer-overflowroutertendaremote-code-executionhttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/Mon, 27 Apr 2026 04:16:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/A buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 in the `fromGstDhcpSetSer` function, allowing remote attackers to execute arbitrary code by manipulating the 'dips' argument via a crafted HTTP request to `/goform/GstDhcpSetSer`.A critical buffer overflow vulnerability, identified as CVE-2026-7081, affects Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromGstDhcpSetSer function within the /goform/GstDhcpSetSer file, a component of the device’s httpd service. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread exploitation. This vulnerability poses a significant threat as it can lead to complete compromise of the affected device, potentially allowing attackers to gain unauthorized access to the network, steal sensitive information, or use the device as part of a botnet.

Attack Chain

1. The attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/GstDhcpSetSer endpoint.
3. The HTTP request includes the dips argument, which is intentionally oversized to trigger the buffer overflow.
4. The vulnerable fromGstDhcpSetSer function processes the request without proper bounds checking.
5. The oversized dips argument overwrites adjacent memory regions on the stack.
6. The attacker carefully crafts the overflow to overwrite the return address with an address pointing to attacker-controlled code.
7. The fromGstDhcpSetSer function returns, causing execution to jump to the attacker’s code.
8. The attacker’s code executes with the privileges of the httpd process, potentially leading to full device compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F456 router. This can result in complete device compromise, including the ability to modify device settings, intercept network traffic, and potentially use the compromised device as a pivot point for further attacks within the network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, making this a significant security concern.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/GstDhcpSetSer with unusually long dips parameter values to detect potential exploitation attempts.
• Deploy the provided Sigma rule Detect Tenda F456 Buffer Overflow Attempt to identify malicious HTTP requests.
• Since no patch is available, consider replacing the affected Tenda F456 routers (version 1.0.0.5) with more secure alternatives.

]]>criticaladvisorycvebuffer_overflowrouterhttps://feed.craftedsignal.io/briefs/2026-04-linksys-rce/Sun, 26 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-linksys-rce/CVE-2026-6992 is a command injection vulnerability in the Linksys MR9600 router that allows remote attackers to execute arbitrary OS commands by manipulating the 'pin' argument in the BTRequestGetSmartConnectStatus function.A command injection vulnerability, CVE-2026-6992, affects the Linksys MR9600 router, specifically version 2.0.6.206937. The vulnerability resides in the JNAP Action Handler component within the /etc/init.d/run_central2.sh script. Attackers can remotely exploit this flaw by manipulating the pin argument passed to the BTRequestGetSmartConnectStatus function. This allows for the execution of arbitrary operating system commands on the affected device. A public exploit is available, increasing the risk of exploitation. The vendor was notified but did not respond.

Attack Chain

1. The attacker sends a crafted HTTP request to the Linksys MR9600 router.
2. The request targets the JNAP Action Handler component, specifically the /etc/init.d/run_central2.sh script.
3. The BTRequestGetSmartConnectStatus function is invoked by the crafted request.
4. The attacker injects malicious OS commands within the pin argument of the BTRequestGetSmartConnectStatus function.
5. The router’s firmware processes the request, failing to properly sanitize the pin argument.
6. The injected OS commands are executed with the privileges of the running process, potentially root.
7. The attacker gains control of the router, potentially allowing for further malicious activities, such as network traffic interception or modification of router settings.

Impact

Successful exploitation of CVE-2026-6992 allows a remote attacker to execute arbitrary commands on the Linksys MR9600 router. This can lead to a complete compromise of the device, allowing the attacker to monitor network traffic, change router configurations, or use the router as a foothold for further attacks within the network. Given the availability of a public exploit, the risk of widespread exploitation is high.

Recommendation

• Deploy the Sigma rule Detect CVE-2026-6992 Exploitation Attempt to identify exploitation attempts in web server logs.
• Apply the Sigma rule Detect Suspicious Shell Activity via Web Request to detect potential command injection attempts.
• Monitor web server logs for requests containing suspicious characters in the cs-uri-query field that target /etc/init.d/run_central2.sh to uncover exploitation attempts.

]]>criticaladvisorycve-2026-6992command-injectionrouterrcehttps://feed.craftedsignal.io/briefs/2026-04-tenda-buffer-overflow/Sun, 26 Apr 2026 11:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-buffer-overflow/A buffer overflow vulnerability in Tenda F456 router version 1.0.0.5 allows a remote attacker to execute arbitrary code by exploiting the fromSafeClientFilter function in the /goform/SafeClientFilter endpoint through manipulation of the 'menufacturer/Go' argument.A buffer overflow vulnerability has been identified in Tenda F456 router, specifically version 1.0.0.5. The vulnerability resides within the fromSafeClientFilter function located in the /goform/SafeClientFilter file. Successful exploitation allows a remote attacker to inject and execute arbitrary code. Publicly available exploit code exists, increasing the risk of widespread exploitation targeting vulnerable Tenda F456 devices. This issue poses a significant threat to network security, as a compromised router can lead to data breaches, denial of service, or further network intrusion.

Attack Chain

1. The attacker identifies a Tenda F456 router running firmware version 1.0.0.5 exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/SafeClientFilter endpoint.
3. The crafted request includes a specially designed payload within the menufacturer/Go argument. This payload is designed to trigger a buffer overflow in the fromSafeClientFilter function.
4. The fromSafeClientFilter function processes the malicious input without proper bounds checking.
5. The oversized payload overwrites adjacent memory regions, potentially including return addresses or other critical data.
6. When the fromSafeClientFilter function attempts to return, the overwritten return address is used, redirecting execution flow to attacker-controlled memory.
7. The attacker-controlled memory contains shellcode or other malicious instructions.
8. The router executes the attacker’s code, granting the attacker control over the device.

Impact

Successful exploitation of this vulnerability can result in complete compromise of the Tenda F456 router. An attacker can gain unauthorized access to network traffic, modify router settings, or use the compromised device as a launchpad for further attacks within the network. Given the public availability of exploit code, a large number of Tenda F456 routers could be targeted, potentially affecting numerous home and small business networks. A successful attack could lead to data theft, service disruption, and reputational damage.

Recommendation

• Apply any available patches or firmware updates released by Tenda to address CVE-2026-7033 on the F456 1.0.0.5 routers.
• Implement network intrusion detection systems (IDS) or intrusion prevention systems (IPS) rules to detect and block malicious requests targeting the /goform/SafeClientFilter endpoint.
• Deploy the Sigma rules provided below to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
• Monitor web server logs for suspicious POST requests to /goform/SafeClientFilter with abnormally large menufacturer/Go argument values.

]]>criticaladvisorybuffer-overflowremote-code-executioncve-2026-7033routerhttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/Mon, 20 Apr 2026 11:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/A buffer overflow vulnerability (CVE-2026-6631) in Tenda F451 router version 1.0.0.7_cn_svn7958 allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/webExcptypemanFilter component.CVE-2026-6631 is a critical buffer overflow vulnerability affecting Tenda F451 routers running firmware version 1.0.0.7_cn_svn7958. The vulnerability resides in the fromwebExcptypemanFilter function within the /goform/webExcptypemanFilter component of the router’s httpd web server. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request with an overly long ‘page’ parameter. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows attackers to execute arbitrary code on the router, potentially leading to full device compromise and network access.

Attack Chain

1. Attacker identifies a vulnerable Tenda F451 router exposed to the internet.
2. Attacker crafts a malicious HTTP GET or POST request targeting /goform/webExcptypemanFilter.
3. The crafted request includes the page parameter with a payload exceeding the buffer size allocated for it.
4. The httpd server processes the request and passes the page parameter to the vulnerable fromwebExcptypemanFilter function.
5. Due to the lack of proper bounds checking, the overly long page parameter overwrites adjacent memory regions on the stack.
6. The attacker carefully designs the overflow payload to overwrite the return address on the stack with the address of malicious code injected elsewhere in memory.
7. The fromwebExcptypemanFilter function completes execution and attempts to return, jumping to the attacker-controlled address.
8. The attacker’s malicious code executes with the privileges of the httpd server, potentially gaining full control of the router.

Impact

Successful exploitation of CVE-2026-6631 allows remote attackers to execute arbitrary code on vulnerable Tenda F451 routers. This can lead to complete device compromise, allowing attackers to modify router settings, intercept network traffic, or use the router as a point of entry for further attacks on the internal network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting both home and small business networks. The availability of public exploits further increases the likelihood of exploitation.

Recommendation

• Apply available firmware updates from Tenda to patch CVE-2026-6631.
• Monitor web server logs for suspicious requests to /goform/webExcptypemanFilter with unusually long page parameters, using the Sigma rule DetectTendaF451BufferOverflow.
• Implement network intrusion detection systems (IDS) to detect and block exploit attempts targeting CVE-2026-6631.
• Consider deploying the Sigma rule DetectTendaF451SuspiciousProcess to identify unexpected processes spawned by the httpd daemon.
• If patching is not immediately feasible, consider restricting access to the router’s web interface from the public internet to mitigate the risk of remote exploitation.

]]>criticaladvisorytendarouterbuffer_overflowcve-2026-6631webserverhttps://feed.craftedsignal.io/briefs/2026-04-h3c-magic-b1-overflow/Sun, 19 Apr 2026 23:16:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-h3c-magic-b1-overflow/A buffer overflow vulnerability (CVE-2026-6581) in H3C Magic B1 routers allows remote attackers to execute arbitrary code by manipulating the 'param' argument in the SetMobileAPInfoById function.A critical buffer overflow vulnerability, identified as CVE-2026-6581, affects H3C Magic B1 routers up to version 100R004. The vulnerability resides in the SetMobileAPInfoById function within the /goform/aspForm file. An attacker can exploit this flaw by crafting a malicious request that manipulates the param argument, leading to a buffer overflow and potential remote code execution. This vulnerability is particularly concerning because a public exploit is available, increasing the risk of widespread exploitation. The vendor was notified about the vulnerability but has not responded. Given the ease of exploitation and the potential for complete system compromise, organizations using affected H3C routers should take immediate action.

Attack Chain

1. The attacker identifies a vulnerable H3C Magic B1 router running a firmware version up to 100R004.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/aspForm endpoint.
3. The request includes the SetMobileAPInfoById function call with an overly long value for the param argument, triggering the buffer overflow.
4. The overflow overwrites adjacent memory regions, including the return address on the stack.
5. The attacker sets the overwritten return address to point to attacker-controlled code or a ROP chain.
6. When the SetMobileAPInfoById function returns, execution jumps to the attacker-controlled code.
7. The attacker’s code executes with elevated privileges, potentially allowing full control of the router.
8. The attacker can then use the compromised router to establish a foothold within the network, exfiltrate data, or launch further attacks.

Impact

Successful exploitation of CVE-2026-6581 allows a remote attacker to execute arbitrary code with root privileges on the H3C Magic B1 router. This can lead to complete compromise of the device, allowing the attacker to control network traffic, exfiltrate sensitive data, or use the router as a jumping-off point for further attacks within the network. Given the widespread use of these routers in small to medium-sized businesses and homes, a large number of devices are potentially vulnerable. There is no indication of victim counts or sectors targeted at this time.

Recommendation

• Deploy the Sigma rule Detect H3C Magic B1 Buffer Overflow Attempt to your SIEM to detect exploitation attempts targeting CVE-2026-6581 via suspicious HTTP POST requests to /goform/aspForm (see Sigma rule below).
• Apply appropriate input validation and sanitization measures if you manage the web server to mitigate buffer overflows.
• Monitor network traffic for unusual activity originating from H3C Magic B1 routers.
• Consider replacing H3C Magic B1 routers with more secure alternatives if updates are not available.

]]>criticaladvisorycve-2026-6581buffer-overflowrouterh3chttps://feed.craftedsignal.io/briefs/2026-04-h3c-magic-buffer-overflow/Sun, 19 Apr 2026 07:16:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-h3c-magic-buffer-overflow/A buffer overflow vulnerability (CVE-2026-6560) in H3C Magic B0 up to 100R002 allows remote attackers to execute arbitrary code by manipulating the 'param' argument in the Edit_BasicSSID function of the /goform/aspForm file.A critical buffer overflow vulnerability (CVE-2026-6560) has been identified in H3C Magic B0 routers, specifically in versions up to 100R002. The vulnerability resides within the Edit_BasicSSID function of the /goform/aspForm file. An attacker can remotely exploit this flaw by crafting malicious input to the param argument, leading to arbitrary code execution on the device. Public exploits are reportedly available, increasing the risk of widespread exploitation. The vendor was notified about this vulnerability, but has not provided any response or patch as of April 2026. This poses a significant risk to users of the affected H3C Magic B0 routers.

Attack Chain

1. The attacker identifies a vulnerable H3C Magic B0 router running firmware version 100R002 or earlier.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/aspForm endpoint.
3. The POST request includes the Edit_BasicSSID function call.
4. The param argument within the POST data contains a specially crafted string exceeding the buffer size allocated in the Edit_BasicSSID function.
5. The buffer overflow occurs when the Edit_BasicSSID function processes the oversized param argument without proper bounds checking.
6. The overflow overwrites adjacent memory regions, potentially including the return address on the stack.
7. The attacker gains control of the program execution flow.
8. The attacker executes arbitrary code on the router, potentially gaining full control of the device, exfiltrating data, or using it as a pivot point for further attacks.

Impact

Successful exploitation of this buffer overflow vulnerability (CVE-2026-6560) allows a remote attacker to execute arbitrary code on the affected H3C Magic B0 router. This could lead to a complete compromise of the device, including the ability to modify router settings, intercept network traffic, and potentially gain access to connected devices on the network. Given the availability of public exploits, widespread exploitation is possible, potentially impacting a large number of home and small business networks.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/aspForm with unusually long param arguments (refer to the Attack Chain section).
• Implement rate limiting for requests to /goform/aspForm to mitigate potential exploitation attempts (refer to the Attack Chain section).
• Deploy the following Sigma rule to detect exploitation attempts targeting the vulnerable Edit_BasicSSID function.
• Block network traffic originating from or destined to H3C Magic B0 devices until a patch is available.

]]>criticaladvisorybuffer overflowcve-2026-6560h3crouternetwork devicehttps://feed.craftedsignal.io/briefs/2026-04-wavlink-command-injection/Fri, 17 Apr 2026 11:16:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wavlink-command-injection/A remote command injection vulnerability exists in the Wavlink WL-WN530H4 router, specifically in the `strcat/snprintf` function of the `/cgi-bin/internet.cgi` file, allowing attackers to execute arbitrary OS commands.A critical OS command injection vulnerability, tracked as CVE-2026-6483, has been identified in Wavlink WL-WN530H4 routers running firmware version 20220721. The flaw resides within the /cgi-bin/internet.cgi file, specifically affecting the strcat/snprintf function. Successful exploitation enables remote attackers to execute arbitrary OS commands on the affected device. The vulnerability is triggered by manipulating input to the vulnerable function. A public exploit is available, increasing the risk of widespread exploitation. Users are advised to upgrade to version 2026.04.16 to mitigate the risk. This vulnerability poses a significant threat due to the potential for complete system compromise, potentially leading to data exfiltration, device hijacking, or denial-of-service attacks.

Attack Chain

1. The attacker identifies a Wavlink WL-WN530H4 router running firmware version 20220721.
2. The attacker crafts a malicious HTTP request targeting the /cgi-bin/internet.cgi endpoint.
3. The crafted request includes a payload designed to exploit the strcat/snprintf function.
4. The vulnerable strcat/snprintf function fails to properly sanitize the attacker-controlled input.
5. The unsanitized input is passed to a system call, resulting in OS command injection.
6. The attacker executes arbitrary OS commands with the privileges of the web server process.
7. The attacker can leverage the compromised system to perform actions such as modifying router configuration, installing malware, or pivoting to other network devices.
8. The attacker gains persistent access and control over the router.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary OS commands on the affected Wavlink router. This can lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the router as a launchpad for further attacks within the network. The lack of specifics regarding victimology suggests a wide potential impact affecting numerous users and potentially small businesses relying on these routers.

Recommendation

• Upgrade the Wavlink WL-WN530H4 router to firmware version 2026.04.16 to patch CVE-2026-6483.
• Deploy the Sigma rule “Detect Wavlink Command Injection Attempt” to monitor for malicious requests targeting /cgi-bin/internet.cgi.
• Monitor web server logs for suspicious activity and unauthorized access attempts following exploitation of CVE-2026-6483.

]]>highadvisorycommand-injectionroutercve-2026-6483https://feed.craftedsignal.io/briefs/2026-04-totolink-a3002mu-bo/Tue, 14 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-totolink-a3002mu-bo/A stack-based buffer overflow vulnerability (CVE-2026-6194) exists in the Totolink A3002MU B20211125.1046 router firmware, specifically affecting the `/boafrm/formWlanSetup` component's HTTP request handler, which allows remote attackers to execute arbitrary code by manipulating the `wan-url` argument.CVE-2026-6194 describes a stack-based buffer overflow vulnerability present in Totolink A3002MU router firmware version B20211125.1046. The vulnerability resides within the HTTP Request Handler, specifically in the sub_410188 function of the /boafrm/formWlanSetup file. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the wan-url argument, leading to arbitrary code execution on the device. Publicly available exploit code increases the likelihood of exploitation. Successful exploitation allows an attacker to compromise the device and potentially gain control of the network.

Attack Chain

1. The attacker identifies a vulnerable Totolink A3002MU router running firmware B20211125.1046.
2. The attacker crafts a malicious HTTP POST request targeting the /boafrm/formWlanSetup endpoint.
3. The crafted request includes a wan-url argument with a payload exceeding the buffer size allocated for it in the sub_410188 function.
4. The HTTP Request Handler processes the request and calls the vulnerable sub_410188 function.
5. Due to insufficient bounds checking, the oversized wan-url argument overflows the stack buffer.
6. The attacker overwrites critical data on the stack, including the return address.
7. Upon returning from the sub_410188 function, execution is redirected to an attacker-controlled address.
8. The attacker executes arbitrary code, potentially gaining full control of the router.

Impact

Successful exploitation of CVE-2026-6194 can lead to complete compromise of the affected Totolink A3002MU router. This allows attackers to eavesdrop on network traffic, modify DNS settings, inject malicious code into web pages served to connected clients, or use the compromised router as a botnet node. Given the widespread use of these routers, a large number of devices could be at risk, potentially impacting home and small business networks.

Recommendation

• Monitor web server logs for suspicious POST requests to /boafrm/formWlanSetup with unusually long wan-url parameters to detect potential exploitation attempts (see Sigma rule “Detect Suspicious WAN-URL Parameter Length”).
• Deploy the Sigma rules provided in this brief to your SIEM to detect and alert on potential exploitation attempts.
• If possible, block requests matching the patterns identified in the Sigma rules at your network perimeter.

]]>criticaladvisorycve-2026-6194buffer-overflowtotolinkrouterhttps://feed.craftedsignal.io/briefs/2026-04-totolink-buffer-overflow/Mon, 13 Apr 2026 07:16:51 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-totolink-buffer-overflow/A stack-based buffer overflow vulnerability (CVE-2026-6168) exists in TOTOLINK A7000R devices up to version 9.1.0u.6115, allowing remote attackers to execute arbitrary code via a crafted ssid5g argument to the setWiFiEasyGuestCfg function in /cgi-bin/cstecgi.cgi.A stack-based buffer overflow vulnerability, tracked as CVE-2026-6168, has been identified in TOTOLINK A7000R routers with firmware versions up to 9.1.0u.6115. The vulnerability resides within the setWiFiEasyGuestCfg function located in the /cgi-bin/cstecgi.cgi file. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. Given the widespread use of TOTOLINK devices, this vulnerability poses a significant threat to home and small business networks. Exploitation is possible with low privileges, as it only requires authentication to the device’s web interface.

Attack Chain

1. Attacker authenticates to the TOTOLINK A7000R web interface. This step assumes default credentials or compromised credentials.
2. The attacker crafts a malicious HTTP POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
3. The request includes the setWiFiEasyGuestCfg function call.
4. The ssid5g argument within the POST request is populated with a string exceeding the buffer’s capacity.
5. The vulnerable setWiFiEasyGuestCfg function in /cgi-bin/cstecgi.cgi processes the oversized ssid5g argument without proper bounds checking.
6. This leads to a stack-based buffer overflow, overwriting adjacent memory regions.
7. The attacker leverages the overflow to inject and execute arbitrary code on the device.
8. Successful code execution can grant the attacker full control of the router, enabling further malicious activities.

Impact

Successful exploitation of CVE-2026-6168 allows a remote attacker to execute arbitrary code on the vulnerable TOTOLINK A7000R device. This can lead to complete compromise of the router, including the ability to intercept network traffic, modify DNS settings, inject malicious scripts into websites, and use the router as a pivot point for further attacks within the network. This vulnerability affects potentially thousands of devices, particularly in home and small business environments.

Recommendation

• Apply firmware updates immediately if TOTOLINK releases a patch for CVE-2026-6168.
• Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually long ssid5g parameters, using the provided Sigma rule.
• Implement network intrusion detection systems (IDS) rules to detect attempts to exploit stack-based buffer overflows targeting TOTOLINK devices.
• Restrict access to the router’s web interface to trusted IP addresses, if possible.
• Enforce strong and unique passwords for all router accounts.

]]>criticaladvisorytotolinkbuffer-overflowcve-2026-6168routerhttps://feed.craftedsignal.io/briefs/2026-04-totolink-a800r-buffer-overflow/Mon, 13 Apr 2026 04:26:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-totolink-a800r-buffer-overflow/A remote buffer overflow vulnerability exists in the Totolink A800R router version 4.1.2cu.5137_B20200730, allowing unauthenticated attackers to potentially execute arbitrary code by overflowing the apcliSsid argument in the setAppEasyWizardConfig function within the /lib/cste_modules/app.so library.A critical buffer overflow vulnerability, identified as CVE-2026-6157, has been discovered in Totolink A800R routers running firmware version 4.1.2cu.5137_B20200730. The vulnerability resides within the setAppEasyWizardConfig function in the /lib/cste_modules/app.so library. Successful exploitation allows remote attackers to potentially execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers are often the perimeter defense for networks making them lucrative targets.

Attack Chain

1. The attacker identifies a vulnerable Totolink A800R router with firmware version 4.1.2cu.5137_B20200730 exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the setAppEasyWizardConfig function.
3. The malicious request includes an overly long string as the value for the apcliSsid argument.
4. The router receives the HTTP request and passes the apcliSsid argument to the setAppEasyWizardConfig function.
5. The setAppEasyWizardConfig function copies the contents of apcliSsid into a fixed-size buffer without proper bounds checking.
6. The overly long apcliSsid string overflows the buffer, overwriting adjacent memory locations.
7. The attacker carefully crafts the overflowed data to overwrite the return address of the function.
8. When the function returns, control is transferred to the attacker’s code, leading to arbitrary code execution. This could lead to the installation of malware or complete control of the device.

Impact

Successful exploitation of this buffer overflow vulnerability grants the attacker the ability to execute arbitrary code on the affected Totolink A800R router. This can result in complete compromise of the device, enabling the attacker to intercept network traffic, modify router settings, or use the router as a launching point for further attacks within the network. Given the availability of public exploits, a large number of devices could be vulnerable, making this a high-impact threat.

Recommendation

• Apply any available firmware updates from Totolink to patch CVE-2026-6157.
• Monitor network traffic for suspicious HTTP requests targeting the setAppEasyWizardConfig function, as described in the attack chain. Deploy the provided Sigma rule to detect potential exploitation attempts.
• Implement network segmentation to limit the impact of a compromised router.
• If updates are unavailable, consider replacing the vulnerable device.
• Disable remote management access to the router to reduce the attack surface.

]]>criticaladvisorycve-2026-6157buffer-overflowrouteriothttps://feed.craftedsignal.io/briefs/2026-04-across-dr810-file-disclosure/Sun, 12 Apr 2026 13:16:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-across-dr810-file-disclosure/Across DR-810 routers are vulnerable to unauthenticated file disclosure, allowing remote attackers to download the rom-0 backup file containing sensitive information, such as router passwords and configuration data, via a simple GET request to the rom-0 endpoint.The Across DR-810 router contains an unauthenticated file disclosure vulnerability (CVE-2019-25706) that allows remote attackers to retrieve sensitive information. By sending a simple GET request to the /rom-0 endpoint, an attacker can download a backup file containing router passwords, configuration details, and potentially other sensitive data. This vulnerability exists because the /rom-0 endpoint does not require authentication, allowing anyone with network access to the router to retrieve the backup file. Successful exploitation leads to complete compromise of the device’s configuration and potential lateral movement within the network if credentials are reused. This vulnerability was published on 2026-04-12.

Attack Chain

1. Attacker identifies an Across DR-810 router exposed on the network.
2. Attacker crafts an HTTP GET request targeting the /rom-0 endpoint.
3. The router responds with the rom-0 backup file without requiring authentication.
4. Attacker downloads the rom-0 backup file.
5. Attacker decompresses the downloaded rom-0 file, which is likely compressed to reduce size.
6. The attacker parses the decompressed file to extract sensitive information such as router passwords.
7. Attacker uses the extracted router passwords to gain administrative access to the router’s web interface.

Impact

Successful exploitation of this vulnerability allows attackers to retrieve sensitive information, including router passwords and configuration data. This can lead to complete compromise of the affected router. An attacker can then modify router settings, intercept network traffic, or potentially use the compromised router as a pivot point to access other systems on the network. If the router passwords are reused across multiple systems, the impact could extend beyond the compromised router, affecting other devices and services.

Recommendation

• Monitor web server logs for requests to the /rom-0 endpoint on Across DR-810 routers to detect potential exploitation attempts using the provided Sigma rule.
• Inspect network traffic for unusual downloads from Across DR-810 routers, focusing on responses from the /rom-0 endpoint.
• Block access to the /rom-0 endpoint on Across DR-810 routers via firewall rules to prevent unauthorized access.
• Review the provided reference URLs for additional context and potential mitigation strategies.

]]>criticaladvisorycve-2019-25706file-disclosurerouternetworkhttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-bo/Sun, 12 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-bo/A remote stack-based buffer overflow vulnerability exists in the fromDhcpListClient function of the /goform/DhcpListClient component (httpd) within Tenda F451 firmware version 1.0.0.7, triggered by manipulating the 'page' argument, potentially allowing for arbitrary code execution.A stack-based buffer overflow vulnerability has been identified in Tenda F451 router firmware version 1.0.0.7. The vulnerability resides in the fromDhcpListClient function within the /goform/DhcpListClient component’s httpd service. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious page argument. This can lead to arbitrary code execution on the device. Given the public availability of the exploit (CVE-2026-6120), Tenda F451 routers are at immediate risk of compromise if not properly secured. This vulnerability poses a significant threat due to the widespread use of Tenda routers in home and small office environments.

Attack Chain

1. Attacker identifies a Tenda F451 router running vulnerable firmware version 1.0.0.7.
2. The attacker crafts a malicious HTTP GET or POST request targeting the /goform/DhcpListClient endpoint.
3. The crafted request includes a page argument with a string exceeding the buffer size allocated for it in the fromDhcpListClient function.
4. The httpd service on the router receives the malicious request and passes the page argument to the vulnerable function.
5. The fromDhcpListClient function attempts to copy the oversized page argument into a fixed-size buffer on the stack, causing a buffer overflow.
6. The overflow overwrites adjacent stack memory, including the return address of the function.
7. The attacker controls the overwritten return address, redirecting execution to attacker-controlled code or a ROP chain.
8. The attacker gains arbitrary code execution on the router, potentially leading to complete device compromise and network access.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda F451 router. This allows attackers to control the device, intercept network traffic, change DNS settings, inject malicious scripts into web pages served to connected devices, or use the router as a pivot point for further attacks within the network. This vulnerability affects all users of the Tenda F451 router running firmware version 1.0.0.7, potentially impacting thousands of devices globally. Given the high CVSS score of 8.8, the risk is substantial.

Recommendation

• Monitor web server logs for suspicious requests targeting the /goform/DhcpListClient endpoint, especially those with unusually long page parameters (refer to the rule Tenda F451 Suspicious URI Length).
• Inspect network traffic for abnormal patterns related to compromised routers (unusual DNS requests, connections to known malicious IPs).
• Implement rate limiting and input validation on web server endpoints where possible to mitigate buffer overflow attempts.
• Apply any available firmware updates from Tenda to patch CVE-2026-6120, although patches may not be available.
• Consider deploying network intrusion detection systems (NIDS) to identify and block exploitation attempts (refer to the Tenda F451 Buffer Overflow Attempt rule).

]]>criticaladvisorytendarouterbuffer-overflowcve-2026-6120iothttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-overflow/Sun, 12 Apr 2026 08:16:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-overflow/Tenda F451 router version 1.0.0.7 is vulnerable to a stack-based buffer overflow in the frmL7ProtForm function, enabling remote attackers to execute arbitrary code by manipulating the 'page' argument.A critical stack-based buffer overflow vulnerability has been identified in Tenda F451 router version 1.0.0.7. The vulnerability resides within the frmL7ProtForm function of the /goform/L7Prot component, specifically within the httpd service. A remote attacker can exploit this flaw by crafting a malicious request targeting the page argument. Successful exploitation allows the attacker to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected devices, potentially leading to full device compromise.

Attack Chain

1. Attacker identifies a vulnerable Tenda F451 router running firmware version 1.0.0.7.
2. Attacker crafts a malicious HTTP GET or POST request targeting the /goform/L7Prot endpoint.
3. The malicious request includes the page argument with a payload exceeding the buffer size allocated for it within the frmL7ProtForm function.
4. The httpd service processes the request without proper bounds checking on the page argument.
5. The oversized payload overflows the stack buffer during the execution of the frmL7ProtForm function.
6. The buffer overflow overwrites adjacent memory regions on the stack, including the return address.
7. The attacker-controlled return address redirects execution to attacker-supplied code or a return-oriented programming (ROP) chain.
8. The attacker executes arbitrary code on the router, potentially gaining full control of the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F451 router. This can lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the device as a bot in a botnet. Given the availability of public exploits, vulnerable devices are at high risk of compromise. The number of potentially affected devices is substantial, as the Tenda F451 is a widely used router model.

Recommendation

• Monitor web server logs for requests to /goform/L7Prot with unusually long page parameters, deploying the Sigma rule Detect Tenda F451 Buffer Overflow Attempt to identify potential exploitation attempts.
• Since no patch is available, consider replacing the Tenda F451 1.0.0.7 with a more secure router or firewall solution.
• Implement network segmentation to limit the impact of a compromised router on other network devices.
• Disable remote administration access to the router to reduce the attack surface.

]]>criticaladvisorycve-2026-6122buffer-overflowroutertendahttps://feed.craftedsignal.io/briefs/2026-04-tenda-overflow/Sun, 12 Apr 2026 08:16:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-overflow/A stack-based buffer overflow vulnerability (CVE-2026-6121) exists in the WrlclientSet function of the /goform/WrlclientSet file in the httpd component of Tenda F451 version 1.0.0.7, allowing remote attackers to execute arbitrary code by manipulating the GO argument.CVE-2026-6121 is a stack-based buffer overflow vulnerability affecting Tenda F451 router version 1.0.0.7. The vulnerability resides within the WrlclientSet function located in the /goform/WrlclientSet file of the httpd component. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the affected router, specifically manipulating the GO argument. Due to insufficient bounds checking on the GO argument’s size when passed to the WrlclientSet function, an attacker can write beyond the allocated buffer on the stack, potentially leading to arbitrary code execution. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers that are accessible from the internet are at highest risk.

Attack Chain

1. Attacker identifies a Tenda F451 router version 1.0.0.7 exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/WrlclientSet endpoint.
3. Within the HTTP POST request, the attacker includes the GO argument, filling it with a payload exceeding the buffer size allocated for it within the WrlclientSet function.
4. The httpd component of the Tenda F451 router receives the HTTP request and passes the GO argument to the vulnerable WrlclientSet function.
5. Due to the buffer overflow, the attacker’s payload overwrites adjacent memory locations on the stack.
6. The attacker’s payload overwrites the return address on the stack, redirecting execution flow to attacker-controlled code.
7. The attacker-controlled code executes with the privileges of the httpd process, allowing the attacker to perform actions such as modifying router configuration, executing system commands, or establishing a reverse shell.
8. The attacker gains persistent access to the router and potentially the internal network.

Impact

Successful exploitation of CVE-2026-6121 can lead to complete compromise of the affected Tenda F451 router. An attacker can gain unauthorized access to the device’s configuration, potentially modifying DNS settings, firewall rules, or other critical parameters. This can lead to redirection of user traffic, denial-of-service attacks, or the establishment of a foothold within the targeted network for further malicious activities. Given the ease of exploitation due to the publicly available exploit code, a large number of Tenda F451 routers could be compromised.

Recommendation

• Monitor web server logs for POST requests to /goform/WrlclientSet with abnormally long GO parameter values to detect potential exploitation attempts (see Sigma rule below and enable webserver logging).
• Implement rate limiting for requests to the /goform/WrlclientSet endpoint to mitigate potential brute-force exploitation attempts (configure your firewall or WAF).
• Upgrade to a patched firmware version when available or replace the affected devices, if the vendor does not provide a fix.

]]>criticaladvisorycve-2026-6121buffer-overflowtendarouterhttps://feed.craftedsignal.io/briefs/2026-04-tenda-rce/Fri, 10 Apr 2026 00:16:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-rce/A stack-based buffer overflow vulnerability in the Tenda F451 router (version 1.0.0.7) allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the fromRouteStatic function of the /goform/RouteStatic file.A critical vulnerability, identified as CVE-2026-5989, affects the Tenda F451 router, specifically version 1.0.0.7. The vulnerability lies within the fromRouteStatic function of the /goform/RouteStatic file. By manipulating the page argument, a remote attacker can trigger a stack-based buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat as it allows unauthenticated remote attackers to compromise the router, potentially leading to network disruption, data theft, or use of the device in botnet activities.

Attack Chain

1. The attacker identifies a vulnerable Tenda F451 router (version 1.0.0.7) exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the /goform/RouteStatic endpoint.
3. The request includes a page argument with a payload designed to overflow the stack buffer in the fromRouteStatic function.
4. The vulnerable fromRouteStatic function processes the malicious page argument without proper bounds checking.
5. The buffer overflow overwrites critical data on the stack, including the return address.
6. Upon function return, control is redirected to the attacker-controlled memory region.
7. The attacker executes arbitrary code injected into the overflowed buffer, such as downloading and executing a reverse shell.
8. The attacker gains remote access to the router, potentially allowing further exploitation or network compromise.

Impact

Successful exploitation of CVE-2026-5989 allows an attacker to gain complete control of the Tenda F451 router. This can lead to a variety of damaging outcomes, including denial-of-service attacks against the local network, interception of network traffic, modification of router settings, and the potential use of the compromised router as a node in a botnet. Given the widespread use of Tenda routers in home and small business environments, a large number of devices could be at risk if this vulnerability is actively exploited.

Recommendation

• Monitor web server logs for requests to /goform/RouteStatic containing abnormally long page arguments, as this is indicative of potential exploit attempts. Deploy the Sigma rule Detect Tenda F451 Exploit Attempt to detect these malicious requests.
• Implement rate limiting on requests to the /goform/RouteStatic endpoint to mitigate potential denial-of-service attacks.
• Since there is no patch available, consider replacing vulnerable Tenda F451 routers with more secure devices from other vendors.

]]>criticalthreattendarouterbuffer_overflowrcehttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/Thu, 09 Apr 2026 21:16:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/A buffer overflow vulnerability exists in the D-Link DIR-605L router version 2.13B01, allowing a remote attacker to execute arbitrary code by manipulating the `curTime` argument in the `formSetMACFilter` function.CVE-2026-5980 is a critical buffer overflow vulnerability affecting the D-Link DIR-605L router, specifically version 2.13B01. The vulnerability resides in the formSetMACFilter function within the /goform/formSetMACFilter component’s POST Request Handler. A remote attacker can exploit this by sending a crafted POST request with a malicious curTime argument, leading to a buffer overflow. Exploit code is publicly available. Due to the product’s end-of-life status, no patch is available, making unpatched devices highly vulnerable. This allows for potential remote code execution and complete compromise of the device.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-605L router (version 2.13B01) exposed to the internet.
2. The attacker crafts a malicious POST request targeting the /goform/formSetMACFilter endpoint.
3. Within the POST request, the attacker includes the curTime parameter, injecting a string exceeding the buffer’s expected size.
4. The router’s formSetMACFilter function processes the POST request without proper bounds checking on the curTime argument.
5. The oversized curTime string overflows the buffer, overwriting adjacent memory regions.
6. The attacker carefully crafts the overflow to overwrite critical data, such as return addresses or function pointers.
7. When the formSetMACFilter function attempts to return, the overwritten return address is used, redirecting execution to attacker-controlled code.
8. The attacker gains arbitrary code execution on the router, potentially installing malware, changing configurations, or using the device for further malicious activities.

Impact

Successful exploitation of CVE-2026-5980 allows a remote attacker to gain complete control over the vulnerable D-Link DIR-605L router. Given that the affected product is no longer supported, a large number of legacy routers remain vulnerable. Attackers can leverage compromised routers to establish botnets, conduct man-in-the-middle attacks, or gain unauthorized access to internal networks connected to the router. The lack of patches elevates the severity, as affected users have no direct mitigation available other than replacing the device.

Recommendation

• Deploy the Sigma rule Detect D-Link DIR-605L Buffer Overflow Attempt to identify malicious POST requests targeting the /goform/formSetMACFilter endpoint on D-Link DIR-605L devices.
• Implement network segmentation to isolate potentially vulnerable D-Link DIR-605L routers to limit the impact of a successful compromise.
• If possible, replace D-Link DIR-605L routers (version 2.13B01) with newer, supported devices to eliminate the vulnerability.

]]>criticaladvisorycvebuffer_overflowrouterd-linkhttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-bo/Thu, 09 Apr 2026 21:16:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-bo/A remote buffer overflow vulnerability exists in the D-Link DIR-605L version 2.13B01 due to improper handling of the 'curTime' argument in the '/goform/formVirtualServ' POST request handler, potentially allowing attackers to execute arbitrary code.A buffer overflow vulnerability, CVE-2026-5979, has been identified in D-Link DIR-605L router with firmware version 2.13B01. The vulnerability resides in the formVirtualServ function within the /goform/formVirtualServ component, specifically within the POST request handler. By manipulating the curTime argument, a remote attacker can trigger a buffer overflow. According to the NVD, an exploit is publicly available, increasing the risk of exploitation. This vulnerability affects end-of-life products, making patching impossible.

Attack Chain

1. Attacker identifies a vulnerable D-Link DIR-605L router running firmware 2.13B01.
2. Attacker crafts a malicious HTTP POST request targeting the /goform/formVirtualServ endpoint.
3. The POST request includes the curTime argument with a value exceeding the buffer’s capacity.
4. The router’s formVirtualServ function processes the POST request without proper bounds checking.
5. The oversized curTime value overwrites adjacent memory regions on the stack or heap.
6. The attacker carefully crafts the overflow payload to overwrite the return address.
7. Upon returning from the formVirtualServ function, control is transferred to the attacker-controlled address.
8. The attacker executes arbitrary code on the router, potentially gaining full control.

Impact

Successful exploitation of this buffer overflow vulnerability (CVE-2026-5979) can lead to complete compromise of the D-Link DIR-605L router. Attackers could potentially execute arbitrary code, enabling them to modify router settings, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Due to the product being end-of-life, a patch is not available. The number of vulnerable devices is unknown.

Recommendation

• Monitor webserver logs for requests to /goform/formVirtualServ with unusually long curTime parameters to detect potential exploitation attempts (see Sigma rule “Detect Suspiciously Long curTime Parameter in D-Link Routers”).
• Implement network intrusion detection system (IDS) rules to detect suspicious traffic patterns associated with buffer overflow exploits targeting web interfaces.
• Since this device is end-of-life, consider replacing the D-Link DIR-605L router with a supported model to mitigate the risk, as there will be no patches issued.
• Examine network traffic for unusual outbound connections originating from D-Link DIR-605L routers to identify potentially compromised devices (see Sigma rule “Detect Outbound Connections from D-Link Routers”).

]]>criticaladvisorydlinkrouterbuffer_overflowcve-2026-5979https://feed.craftedsignal.io/briefs/2026-04-decolua-auth-bypass/Thu, 09 Apr 2026 05:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-decolua-auth-bypass/CVE-2026-5842 is an authorization bypass vulnerability in decolua 9router versions up to 0.3.47, allowing remote attackers to gain unauthorized access via manipulation of the /api endpoint.A critical security vulnerability, CVE-2026-5842, affects decolua 9router versions up to 0.3.47. The vulnerability resides within an unknown function of the /api endpoint, specifically the Administrative API. Successful exploitation of this flaw allows a remote attacker to bypass authorization controls, potentially gaining administrative privileges. A public exploit for this vulnerability has been disclosed, increasing the risk of exploitation. Organizations using vulnerable versions of decolua 9router should upgrade to version 0.3.75 as soon as possible to mitigate the risk. This vulnerability was published on April 9, 2026 and poses a significant threat due to the availability of a public exploit.

Attack Chain

1. Attacker identifies a vulnerable decolua 9router instance running a version prior to 0.3.75.
2. The attacker sends a crafted HTTP request to the /api endpoint.
3. The crafted request exploits the authorization bypass vulnerability in the targeted function.
4. The vulnerable application fails to properly validate the attacker’s authorization, granting them access.
5. The attacker gains unauthorized access to administrative functionalities.
6. The attacker leverages the unauthorized access to modify router configurations.
7. The attacker can then potentially perform actions like changing DNS settings, creating rogue user accounts, or disrupting network services.

Impact

Successful exploitation of CVE-2026-5842 allows attackers to bypass authorization and gain unauthorized administrative access to the decolua 9router. This can lead to complete compromise of the router, allowing attackers to eavesdrop on network traffic, redirect traffic to malicious sites, or disrupt network services. Given the availability of a public exploit, vulnerable routers are at high risk of compromise. This vulnerability can have severe consequences for both home and business networks relying on decolua 9router.

Recommendation

• Upgrade all decolua 9router instances to version 0.3.75 or later to remediate CVE-2026-5842.
• Monitor web server logs for suspicious activity targeting the /api endpoint using the Sigma rule provided below.
• Implement firewall rules to restrict access to the administrative interface of the router.
• Review and audit existing router configurations for any unauthorized changes after applying the provided Sigma rule to detect any potential intrusions.

]]>highadvisorycveauthorization-bypassrouterhttps://feed.craftedsignal.io/briefs/2026-04-dlink-command-injection/Thu, 09 Apr 2026 05:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-command-injection/A command injection vulnerability (CVE-2026-5844) exists in the D-Link DIR-882 router version 1.01B02, allowing a remote attacker to execute arbitrary OS commands by manipulating the IPAddress argument in the HNAP1 SetNetworkSettings Handler via the prog.cgi script.CVE-2026-5844 describes a critical command injection vulnerability affecting D-Link DIR-882 routers running firmware version 1.01B02. The vulnerability resides in the sprintf function within the prog.cgi script, specifically within the HNAP1 SetNetworkSettings Handler. A remote, unauthenticated attacker can exploit this flaw by manipulating the IPAddress argument, injecting arbitrary OS commands that are then executed with elevated privileges. The vulnerability is considered critical due to the potential for complete system compromise and the availability of a public exploit. This vulnerability impacts products that are no longer supported by the maintainer, increasing the risk for users who have not migrated to newer devices.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-882 router running firmware version 1.01B02.
2. The attacker sends a crafted HTTP request to the prog.cgi endpoint.
3. The HTTP request targets the HNAP1 SetNetworkSettings Handler.
4. The attacker manipulates the IPAddress argument within the HTTP request, injecting malicious OS commands.
5. The sprintf function in prog.cgi processes the attacker-controlled IPAddress argument without proper sanitization.
6. The injected OS commands are executed on the router’s operating system due to the command injection vulnerability in sprintf.
7. The attacker gains remote code execution on the router.
8. The attacker can then perform actions such as modifying router settings, eavesdropping on network traffic, or using the router as a botnet node.

Impact

Successful exploitation of CVE-2026-5844 allows a remote attacker to execute arbitrary OS commands on the vulnerable D-Link DIR-882 router. This can lead to a complete compromise of the device, enabling attackers to reconfigure the router, intercept network traffic, or use the compromised device as part of a botnet. The vulnerability affects end-of-life products, meaning no official patches are available. The impact is significant due to the widespread use of these routers in home and small business networks, where they can act as a gateway to internal systems.

Recommendation

• Deploy the Sigma rule Detect D-Link DIR-882 Command Injection Attempt to detect suspicious requests to prog.cgi containing shell metacharacters.
• Block access to the URL https://files.catbox.moe/ei31k1.zip to prevent the download of the publicly available exploit (IOC).
• Monitor web server logs for HTTP requests to prog.cgi with unusually long IPAddress parameters (log source: webserver).
• Implement network intrusion detection systems (IDS) rules to identify and block exploit attempts targeting CVE-2026-5844 (log source: network_connection).

]]>criticaladvisorycommand-injectiond-linkroutercve-2026-5844https://feed.craftedsignal.io/briefs/2026-04-tenda-ac15-overflow/Thu, 09 Apr 2026 02:16:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-ac15-overflow/A stack-based buffer overflow vulnerability (CVE-2026-5830) in Tenda AC15 firmware version 15.03.05.18 allows remote attackers to execute arbitrary code by manipulating password change parameters, potentially leading to complete device compromise.A critical stack-based buffer overflow vulnerability, tracked as CVE-2026-5830, has been identified in Tenda AC15 routers running firmware version 15.03.05.18. The vulnerability resides in the websGetVar function within the /goform/SysToolChangePwd file, which handles password change requests. By crafting malicious requests and manipulating the oldPwd, newPwd, or cfmPwd arguments, an attacker can overwrite the stack, potentially leading to arbitrary code execution. The vulnerability is remotely exploitable by an authenticated user, and publicly available exploit code exists, increasing the risk of widespread exploitation. This poses a significant threat to home and small business networks using affected Tenda AC15 routers.

Attack Chain

1. An attacker gains unauthorized access to the router’s web management interface, potentially through weak credentials or brute-forcing.
2. The attacker crafts a malicious HTTP POST request to /goform/SysToolChangePwd.
3. The crafted request includes oversized data within the oldPwd, newPwd, or cfmPwd parameters.
4. The websGetVar function processes the request without proper bounds checking.
5. The oversized data overflows the stack buffer, overwriting adjacent memory regions.
6. The attacker carefully crafts the overflow to overwrite the return address on the stack.
7. The websGetVar function returns, diverting execution to the attacker-controlled address.
8. The attacker-controlled address contains shellcode that executes arbitrary commands, potentially granting complete control over the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda AC15 router. This could lead to complete device compromise, including unauthorized access to network traffic, modification of router settings, installation of malware, and use of the compromised device as a botnet node. Given the potentially widespread use of Tenda AC15 routers in home and small business environments, a large number of devices could be vulnerable.

Recommendation

• Apply available patches from Tenda to remediate CVE-2026-5830 as soon as they become available.
• Monitor webserver logs for suspicious POST requests to /goform/SysToolChangePwd with unusually long oldPwd, newPwd, or cfmPwd parameters and deploy the Sigma rule Detect Tenda AC15 Password Change Overflow.
• Implement strong password policies and multi-factor authentication to prevent unauthorized access to the router’s web management interface.
• Restrict access to the router’s web management interface to trusted networks only by configuring firewall rules.

]]>criticaladvisorycve-2026-5830tendarouterbuffer-overflowstack-overflowhttps://feed.craftedsignal.io/briefs/2026-04-dlink-router-vulnerability/Wed, 08 Apr 2026 09:58:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-router-vulnerability/The 'Airsnitch' vulnerability in D-LINK Router M60 and DIR-3040 allows an attacker from an adjacent network to bypass security measures, disclose confidential information, and manipulate network traffic.The ‘Airsnitch’ vulnerability affects D-LINK Router models M60 and DIR-3040. An attacker positioned within an adjacent network can exploit this flaw to circumvent security protocols. This access allows the attacker to potentially expose sensitive data and manipulate network traffic. The specifics of the vulnerability exploitation are not detailed in this advisory, but the impact suggests a significant compromise of network security and data integrity. Defenders should prioritize identifying and mitigating this vulnerability to prevent unauthorized access and data breaches. This vulnerability poses a risk to both home and enterprise networks utilizing the affected D-LINK router models.

Attack Chain

1. Attacker gains access to an adjacent network, either physically or via compromised wireless access.
2. Attacker sends crafted network packets targeting the D-LINK router’s management interface.
3. The ‘Airsnitch’ vulnerability is exploited, bypassing authentication or authorization checks.
4. Attacker gains unauthorized access to the router’s configuration settings.
5. Attacker modifies DNS settings to redirect traffic to malicious servers.
6. Attacker intercepts and analyzes network traffic, capturing sensitive information like usernames and passwords.
7. Attacker injects malicious code into network traffic, potentially compromising other devices on the network.
8. Attacker maintains persistent access by creating a rogue administrator account or installing malicious firmware.

Impact

Successful exploitation of the ‘Airsnitch’ vulnerability can lead to significant compromise of network security. Attackers can gain unauthorized access to sensitive information, manipulate network traffic, and potentially compromise other devices on the network. This can result in data breaches, financial losses, and reputational damage. The number of potential victims is significant, given the widespread use of D-LINK routers in both home and enterprise environments.

Recommendation

• Analyze network traffic for suspicious patterns indicative of unauthorized access attempts to the D-LINK router’s management interface to facilitate tuning of existing firewall rules and creation of new rules.
• Monitor DNS settings on D-LINK routers for unauthorized modifications using network monitoring tools.
• Implement strict access control policies on the adjacent network to limit the attacker’s ability to reach the D-LINK routers.

]]>highadvisoryd-linkrouterairsnitchvulnerabilitynetwork-traffic-manipulationhttps://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-stack-overflow/Mon, 06 Apr 2026 22:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-stack-overflow/A stack-based buffer overflow vulnerability (CVE-2026-5686) exists in the Tenda CX12L router version 16.03.53.12, allowing remote attackers to potentially execute arbitrary code by manipulating the 'page' argument in the `/goform/RouteStatic` endpoint.CVE-2026-5686 is a critical vulnerability affecting Tenda CX12L routers running firmware version 16.03.53.12. This stack-based buffer overflow is located in the fromRouteStatic function within the /goform/RouteStatic file. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request with a malicious page argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could lead to arbitrary code execution, potentially allowing attackers to gain full control of the affected router. This poses a significant risk to home and small business networks using the vulnerable device.

Attack Chain

1. The attacker identifies a Tenda CX12L router running firmware version 16.03.53.12.
2. The attacker sends a crafted HTTP POST request to /goform/RouteStatic.
3. The request includes a page argument with a string exceeding the buffer size allocated to the fromRouteStatic function.
4. The oversized page argument overwrites adjacent memory on the stack, including the return address.
5. When the fromRouteStatic function returns, it attempts to jump to the overwritten return address controlled by the attacker.
6. The attacker’s payload, injected via the overflowed buffer, is executed with the privileges of the httpd process.
7. The attacker gains remote code execution on the router.
8. The attacker can then use the compromised router as a foothold for further attacks, such as network reconnaissance, lateral movement, or data exfiltration.

Impact

Successful exploitation of CVE-2026-5686 allows a remote attacker to execute arbitrary code on the affected Tenda CX12L router. This could lead to a complete compromise of the device, enabling attackers to modify router settings, intercept network traffic, or use the router as a proxy for malicious activities. Given the widespread use of Tenda routers in home and small business networks, this vulnerability could have a significant impact, potentially affecting thousands of users. A successful attack could lead to data breaches, service disruptions, and further compromise of connected devices within the network.

Recommendation

• Apply available patches or firmware updates provided by Tenda to address CVE-2026-5686.
• Monitor web server logs for suspicious POST requests to /goform/RouteStatic with unusually long page parameters, using the provided Sigma rule.
• Implement network intrusion detection systems (IDS) to detect and block exploit attempts targeting this vulnerability.
• Restrict access to the router’s administrative interface to trusted networks or IP addresses to limit the attack surface.
• Regularly review router configurations and security settings to ensure they align with best practices.

]]>criticaladvisorycve-2026-5686tendarouterstack-based buffer overflowremote code executionhttps://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-buffer-overflow/Mon, 06 Apr 2026 22:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-buffer-overflow/A stack-based buffer overflow vulnerability exists in the Tenda CX12L router (version 16.03.53.12) due to improper handling of the 'page' argument in the 'fromwebExcptypemanFilter' function, potentially allowing attackers with local network access to execute arbitrary code.A critical stack-based buffer overflow vulnerability has been identified in Tenda CX12L routers running firmware version 16.03.53.12. The vulnerability resides within the fromwebExcptypemanFilter function in the /goform/webExcptypemanFilter file. An attacker with local network access can exploit this flaw by manipulating the page argument passed to this function, leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-5684, has a CVSS v3.1 score of 8.0, indicating a high severity. Public exploits for this vulnerability are available, making it crucial for network administrators to address this issue promptly. Successful exploitation could allow an attacker to gain complete control of the router, potentially leading to data theft, network compromise, or denial of service.

Attack Chain

1. Attacker gains access to the local network where the Tenda CX12L router is located.
2. The attacker crafts a malicious HTTP request targeting the /goform/webExcptypemanFilter endpoint.
3. The crafted request includes a page argument with a payload exceeding the buffer size allocated for it within the fromwebExcptypemanFilter function.
4. The router processes the HTTP request and passes the overly long page argument to the vulnerable function.
5. The fromwebExcptypemanFilter function attempts to write the contents of the page argument into a fixed-size buffer on the stack.
6. Due to the excessive length of the page argument, the buffer overflows, overwriting adjacent memory regions on the stack.
7. The attacker leverages the buffer overflow to overwrite the return address on the stack with the address of malicious code or a ROP chain.
8. When the fromwebExcptypemanFilter function returns, control is transferred to the attacker-controlled code, allowing for arbitrary code execution.

Impact

Successful exploitation of CVE-2026-5684 allows an attacker with local network access to gain complete control of the affected Tenda CX12L router. This can lead to a variety of malicious activities, including unauthorized access to network traffic, modification of router settings, deployment of malicious firmware, and use of the compromised router as a botnet node. Given the availability of public exploits, organizations using this router model are at significant risk. The number of potential victims is dependent on the number of unpatched Tenda CX12L devices deployed.

Recommendation

• Monitor webserver logs for HTTP requests targeting the /goform/webExcptypemanFilter endpoint with abnormally long page parameters to detect potential exploitation attempts. (Log Source: webserver, Rule: “Detect Tenda CX12L Web Request with Long Page Parameter”)
• Deploy the Sigma rule “Detect Tenda CX12L Stack Buffer Overflow Attempt” to identify suspicious process creations following a potential exploit.
• Review and restrict local network access to the Tenda CX12L router to reduce the attack surface, as the exploit requires local network access.
• Contact Tenda for a security patch or firmware update to address CVE-2026-5684.

]]>highadvisorytendarouterbuffer-overflowcve-2026-5684https://feed.craftedsignal.io/briefs/2026-04-tenda-ch22-overflow/Sun, 05 Apr 2026 23:16:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-ch22-overflow/A stack-based buffer overflow vulnerability (CVE-2026-5604) in Tenda CH22 1.0.0.1 allows remote attackers to execute arbitrary code by manipulating the 'standard' argument in the formCertLocalPrecreate function of the /goform/CertLocalPrecreate file within the Parameter Handler component.CVE-2026-5604 details a critical security vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability is a stack-based buffer overflow located in the formCertLocalPrecreate function within the /goform/CertLocalPrecreate file, which handles parameters. Attackers can exploit this flaw by manipulating the standard argument. The vulnerability can be triggered remotely, meaning an attacker does not need local access to the device. Given that a public exploit is available, this vulnerability poses a significant risk to users of the affected Tenda CH22 router. This allows unauthenticated attackers to potentially gain full control of the device.

Attack Chain

1. An attacker identifies a Tenda CH22 router version 1.0.0.1 exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the /goform/CertLocalPrecreate endpoint.
3. The attacker includes an overly long string as the value for the standard parameter in the HTTP request.
4. The Tenda CH22 router receives the malicious request and passes the standard parameter to the formCertLocalPrecreate function.
5. The formCertLocalPrecreate function copies the oversized standard argument into a fixed-size buffer on the stack without proper bounds checking.
6. This causes a stack-based buffer overflow, overwriting adjacent memory regions, including the return address of the function.
7. The attacker controls the overwritten return address to point to attacker-controlled code injected into memory, or to a Return-Oriented Programming (ROP) chain.
8. Upon function return, execution is redirected to the attacker’s code, allowing them to execute arbitrary commands on the router.

Impact

Successful exploitation of CVE-2026-5604 allows a remote, unauthenticated attacker to execute arbitrary code on the Tenda CH22 router. This could lead to a complete compromise of the device, allowing the attacker to gain control over network traffic, modify router settings, or use the device as part of a botnet. Given the wide deployment of Tenda routers, a large number of devices could be vulnerable, making this a high-impact vulnerability.

Recommendation

• Monitor web server logs for requests to /goform/CertLocalPrecreate with unusually long standard parameters to identify potential exploit attempts (see rule: “Detect Tenda CH22 Buffer Overflow Attempt via Long Standard Parameter”).
• Implement rate limiting on the /goform/CertLocalPrecreate endpoint to mitigate brute-force exploitation attempts.
• Apply any available firmware updates from Tenda to patch CVE-2026-5604.
• Deploy the Sigma rule “Detect Tenda CH22 Router POST Request to CertLocalPrecreate” to identify suspicious POST requests to the affected endpoint and tune for your environment.

]]>criticaladvisorycve-2026-5604buffer-overflowtendarouterhttps://feed.craftedsignal.io/briefs/2026-04-tenda-m3-overflow/Sun, 05 Apr 2026 13:17:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-m3-overflow/A buffer overflow vulnerability exists in Tenda M3 1.0.0.10 via manipulation of the policyType argument in the setAdvPolicyData function, allowing remote attackers to execute arbitrary code.A critical buffer overflow vulnerability has been identified in Tenda M3 router version 1.0.0.10. The vulnerability resides in the setAdvPolicyData function within the /goform/setAdvPolicyData file, a part of the Destination Handler component. By manipulating the policyType argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations utilizing the affected Tenda M3 router, potentially allowing attackers to gain unauthorized access to the network or disrupt services.

Attack Chain

1. Attacker identifies a vulnerable Tenda M3 router exposed to the internet or reachable from their network position.
2. Attacker sends a crafted HTTP POST request to /goform/setAdvPolicyData.
3. The POST request includes a malicious policyType argument designed to overflow the buffer in the setAdvPolicyData function.
4. The setAdvPolicyData function in /goform/setAdvPolicyData processes the policyType argument without proper bounds checking.
5. The excessive data provided in the policyType argument overwrites adjacent memory regions.
6. The attacker carefully crafts the overflow to overwrite critical data or inject malicious code into the process’s memory space.
7. The injected code is executed, giving the attacker control over the router.
8. The attacker can then use the compromised router as a foothold to pivot to other devices on the network, exfiltrate sensitive data, or cause denial of service.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda M3 router. This could lead to a complete compromise of the device, allowing the attacker to control network traffic, access sensitive information, or use the router as a launchpad for further attacks within the network. Given the severity and the existence of public exploits, vulnerable routers are at high risk of being targeted.

Recommendation

• Apply any available firmware updates from Tenda to patch CVE-2026-5567.
• Monitor web server logs for suspicious POST requests to /goform/setAdvPolicyData with unusually long policyType arguments; deploy the Sigma rule Detect Suspicious PolicyType Argument Length to identify this activity.
• Implement network segmentation to limit the potential impact of a compromised router.
• Consider using a web application firewall (WAF) to filter malicious requests targeting the affected endpoint.
• Review and restrict access to the router’s management interface to authorized personnel only.

]]>criticaladvisorycve-2026-5567buffer-overflowtendarouterwebserverhttps://feed.craftedsignal.io/briefs/2026-04-tenda-ac10-overflow/Sun, 05 Apr 2026 08:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-ac10-overflow/A stack-based buffer overflow vulnerability (CVE-2026-5550) in Tenda AC10 firmware version 16.03.10.10_multi_TDE01 within the /bin/httpd SysToolChangePwd function allows remote attackers to execute arbitrary code.A critical stack-based buffer overflow vulnerability, identified as CVE-2026-5550, exists in Tenda AC10 router firmware version 16.03.10.10_multi_TDE01. The vulnerability is located in the fromSysToolChangePwd function within the /bin/httpd binary. A remote attacker can exploit this flaw to overwrite the stack and potentially execute arbitrary code on the affected device. This is achieved by sending a specially crafted request to the device. Successful exploitation could lead to complete system compromise, allowing attackers to gain unauthorized access, control the device, or use it as a foothold for further network intrusion. Given the widespread use of Tenda routers, this vulnerability poses a significant risk to home and small business networks.

Attack Chain

1. The attacker identifies a Tenda AC10 router running firmware version 16.03.10.10_multi_TDE01.
2. The attacker crafts a malicious HTTP request targeting the /bin/httpd endpoint.
3. The malicious request is designed to overflow the buffer in the fromSysToolChangePwd function when processing the request parameters.
4. The overflow overwrites the stack with attacker-controlled data, including the return address.
5. The httpd process attempts to return from the fromSysToolChangePwd function.
6. Due to the overwritten return address, execution is redirected to the attacker’s code.
7. The attacker’s code executes with the privileges of the httpd process.
8. The attacker gains control of the device and can perform arbitrary actions, such as modifying router settings, executing commands, or establishing a backdoor.

Impact

Successful exploitation of CVE-2026-5550 allows a remote attacker to gain complete control of the affected Tenda AC10 router. This can lead to data breaches, denial-of-service attacks, or the router being used as part of a botnet. Given the potential for widespread exploitation and the ease with which the vulnerability can be triggered, CVE-2026-5550 poses a high risk to users of the affected Tenda AC10 router model. The attacker could potentially monitor all network traffic passing through the device, steal sensitive information, or use the compromised device to launch attacks against other systems on the network or the internet.

Recommendation

• Monitor web server logs for suspicious POST requests to /bin/httpd with abnormally large parameter values that could indicate a buffer overflow attempt targeting the fromSysToolChangePwd function to trigger the vulnerability (see the related Sigma rule below).
• Since a patch is not mentioned, consider replacing the affected Tenda AC10 device or isolating it from critical network segments if immediate replacement is not feasible.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

]]>criticaladvisorycve-2026-5550tendabuffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-04-tenda-4g03-pro-access-control/Sat, 04 Apr 2026 23:16:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-4g03-pro-access-control/CVE-2026-5526 describes an improper access control vulnerability in the Tenda 4G03 Pro router's /bin/httpd file, allowing remote attackers to potentially gain unauthorized access.A security vulnerability, identified as CVE-2026-5526, affects the Tenda 4G03 Pro router, specifically versions up to 1.0/1.1/04.03.01.53/192.168.0.1. The flaw resides within an unspecified function of the /bin/httpd file, leading to improper access controls. A remote attacker could exploit this vulnerability, potentially gaining unauthorized access to the device. Publicly available exploits exist, increasing the risk of exploitation. This issue was reported on April 4, 2026, and poses a significant threat due to the ease of remote exploitation.

Attack Chain

1. Attacker identifies a Tenda 4G03 Pro router with a publicly accessible web interface.
2. The attacker crafts a malicious HTTP request targeting the /bin/httpd file.
3. The malicious request exploits the improper access control vulnerability (CVE-2026-5526).
4. The router’s /bin/httpd process improperly handles the request, bypassing access controls.
5. The attacker gains unauthorized access to sensitive functionalities of the router.
6. The attacker modifies router configurations, such as DNS settings or firewall rules.
7. The attacker could potentially use the compromised router as a pivot point for further network attacks.

Impact

Successful exploitation of CVE-2026-5526 could allow attackers to remotely compromise Tenda 4G03 Pro routers. This can lead to unauthorized access to the device’s configuration, modification of settings, or use of the router as a stepping stone for further attacks within the network. Given the availability of public exploits, unpatched devices are at significant risk. While the exact number of affected devices is unknown, the widespread use of Tenda routers makes this a potentially significant issue.

Recommendation

• Monitor web server logs for suspicious requests targeting /bin/httpd using the provided Sigma rule.
• Apply available firmware updates or patches from Tenda to address CVE-2026-5526 as soon as they are released.
• Implement network segmentation to limit the impact of a compromised router.
• Enforce strong password policies for router administration to prevent unauthorized access.
• Review and update firewall rules to restrict access to the router’s web interface from untrusted networks.
• Deploy the provided Sigma rule to detect suspicious process execution originating from the web server process.

]]>highadvisorycve-2026-5526tendarouteraccess-controlhttps://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-bo/Tue, 31 Mar 2026 16:16:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-bo/A stack-based buffer overflow vulnerability (CVE-2026-5204) exists in the Tenda CH22 1.0.0.1 router, allowing remote attackers to execute arbitrary code by manipulating the webSiteId argument in the formWebTypeLibrary function.CVE-2026-5204 describes a critical stack-based buffer overflow vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability resides within the formWebTypeLibrary function in the /goform/webtypelibrary file, which handles web-based parameter input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the router, manipulating the webSiteId argument to overwrite the stack buffer. This allows for arbitrary code execution on the device. Given the router’s role as a network gateway, successful exploitation can lead to complete compromise of the device and potentially the entire network behind it. The availability of a public exploit increases the risk of widespread exploitation.

Attack Chain

1. The attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/webtypelibrary endpoint.
3. The crafted request includes the webSiteId parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow in the formWebTypeLibrary function.
4. The overflow overwrites critical data on the stack, including the return address.
5. The overwritten return address is replaced with the address of malicious code injected into the payload or a pre-existing code location within the router’s firmware (Return-Oriented Programming - ROP).
6. The formWebTypeLibrary function returns, transferring control to the attacker-controlled code.
7. The attacker’s code executes, granting the attacker control over the device.
8. The attacker can then use this control to further compromise the network or disrupt services.

Impact

Successful exploitation of CVE-2026-5204 allows a remote attacker to execute arbitrary code on the vulnerable Tenda CH22 router. This can lead to complete control of the device, enabling the attacker to intercept network traffic, modify DNS settings, create VPNs, or launch further attacks on devices within the network. Given that routers are essential network devices, a successful attack can have a significant impact, affecting all connected devices and potentially exposing sensitive data.

Recommendation

• Apply available firmware updates for Tenda CH22 routers immediately to patch CVE-2026-5204.
• Deploy the Sigma rule Tenda-CH22-WebSiteId-Buffer-Overflow to detect exploitation attempts targeting the vulnerable endpoint.
• Monitor web server logs for suspicious POST requests to /goform/webtypelibrary with unusually long webSiteId parameters, as indicated by WebSiteId_Length_Detection Sigma rule.
• Implement network segmentation to limit the impact of a potential router compromise.

]]>criticaladvisorycve-2026-5204tendabuffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-03-totolink-cve-2026-5176/Tue, 31 Mar 2026 02:15:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-totolink-cve-2026-5176/A command injection vulnerability (CVE-2026-5176) exists in the setSyslogCfg function of the Totolink A3300R router version 17.0.0cu.557_b20221024, allowing remote attackers to execute arbitrary commands by manipulating arguments in the /cgi-bin/cstecgi.cgi file.A command injection vulnerability, identified as CVE-2026-5176, has been discovered in Totolink A3300R routers running firmware version 17.0.0cu.557_b20221024. The vulnerability resides within the setSyslogCfg function located in the /cgi-bin/cstecgi.cgi file. An unauthenticated, remote attacker can exploit this flaw by manipulating arguments passed to the vulnerable function. This manipulation results in the execution of arbitrary commands on the affected device. Given the public…

]]>criticaladvisorycommand-injectioncve-2026-5176totolinkrouterhttps://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-overflow/Tue, 31 Mar 2026 00:16:15 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-overflow/A stack-based buffer overflow vulnerability exists in Tenda CH22 1.0.0.1 via manipulation of the `mit_linktype` argument in the `/goform/QuickIndex` endpoint, potentially enabling remote code execution.A stack-based buffer overflow vulnerability has been identified in Tenda CH22 router version 1.0.0.1. The vulnerability resides within the formQuickIndex function of the /goform/QuickIndex file, which is a component of the Parameter Handler. This flaw can be triggered by manipulating the mit_linktype argument, leading to a buffer overflow on the stack. The vulnerability is remotely exploitable, meaning an attacker can trigger the flaw over the network without needing local access to the device. The existence of a public exploit further increases the risk of potential exploitation by malicious actors. Successful exploitation could allow an attacker to execute arbitrary code on the device.

Attack Chain

1. An attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1 exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/QuickIndex endpoint.
3. The malicious request includes the mit_linktype argument with a payload exceeding the expected buffer size.
4. The Tenda CH22 router processes the HTTP request and passes the mit_linktype argument to the formQuickIndex function.
5. The formQuickIndex function copies the attacker-controlled mit_linktype data into a fixed-size buffer on the stack without proper bounds checking.
6. Due to the oversized payload, the copy operation overflows the buffer, overwriting adjacent memory on the stack, including the return address.
7. The formQuickIndex function completes and attempts to return to the caller function.
8. Due to the overwritten return address, control is redirected to attacker-controlled code, enabling arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Tenda CH22 router. This can lead to a variety of malicious outcomes, including complete device compromise, denial of service, and the potential to use the router as a launchpad for further attacks on the local network or the internet. Given that routers are often used in both home and small business environments, a successful attack could affect a wide range of users and organizations.

Recommendation

• Monitor web server logs for POST requests to /goform/QuickIndex with unusually long mit_linktype parameters to detect potential exploitation attempts. Implement the Sigma rule Detect Tenda CH22 mit_linktype Buffer Overflow Attempt against web server logs.
• Implement rate limiting on the /goform/QuickIndex endpoint to mitigate potential denial-of-service attacks stemming from exploitation.
• Since the source material identifies CWE-119 and CWE-121 as root causes, review code practices related to buffer handling and implement stricter input validation procedures.

]]>criticaladvisorycve-2026-5156buffer-overflowtendarouterhttps://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-buffer-overflow/Mon, 30 Mar 2026 23:17:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-buffer-overflow/A stack-based buffer overflow vulnerability exists in Tenda CH22 1.0.0.1/1.If allowing remote attackers to execute arbitrary code by manipulating the `funcname` argument in the `/goform/setcfm` endpoint.A critical stack-based buffer overflow vulnerability, identified as CVE-2026-5154, has been discovered in Tenda CH22 firmware version 1.0.0.1/1.If. The vulnerability resides within the fromSetCfm function in the /goform/setcfm file, a component of the Parameter Handler. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected Tenda CH22 devices, potentially leading to complete system compromise.

Attack Chain

1. Attacker identifies a Tenda CH22 device running firmware version 1.0.0.1/1.If.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/setcfm endpoint.
3. The request includes the funcname argument containing a string exceeding the buffer size allocated to it.
4. The fromSetCfm function processes the malicious funcname argument without proper bounds checking.
5. The oversized funcname value overflows the stack buffer, overwriting adjacent memory regions.
6. The attacker overwrites the return address on the stack with an address pointing to malicious code or a ROP chain.
7. The fromSetCfm function returns, causing execution to jump to the attacker-controlled address.
8. The attacker gains arbitrary code execution on the device, potentially leading to full system compromise.

Impact

Successful exploitation of this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected Tenda CH22 device. This can result in complete device compromise, allowing the attacker to control the device, steal sensitive information, or use the device as a foothold for further attacks on the network. Given the availability of public exploits, a large number of devices could be compromised if left unpatched.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/setcfm with unusually long funcname parameters, using the provided Sigma rule.
• Implement rate limiting on requests to /goform/setcfm to mitigate potential brute-force exploitation attempts.
• Apply any available patches or firmware updates from Tenda to address CVE-2026-5154.

]]>criticaladvisorycve-2026-5154tendabuffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-03-tenda-overflow/Sun, 29 Mar 2026 15:16:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-overflow/A stack-based buffer overflow vulnerability (CVE-2026-5046) in Tenda FH1201 version 1.2.0.14(408) allows remote attackers to execute arbitrary code by manipulating the GO argument in the formWrlExtraSet function of the /goform/WrlExtraSet component.CVE-2026-5046 is a stack-based buffer overflow vulnerability affecting Tenda FH1201 routers running firmware version 1.2.0.14(408). The vulnerability resides within the formWrlExtraSet function of the /goform/WrlExtraSet component, specifically in the handling of the GO argument. A remote attacker can exploit this flaw by sending a crafted HTTP request with a maliciously oversized GO parameter, overwriting the stack and potentially gaining arbitrary code execution on the device. The…

]]>criticaladvisoryCVE-2026-5046tendabuffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-03-belkin-overflow/Sun, 29 Mar 2026 13:17:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-belkin-overflow/A stack-based buffer overflow vulnerability (CVE-2026-5044) in Belkin F9K1122 version 1.00.33 allows remote attackers to execute arbitrary code by manipulating the 'webpage' argument in the formSetSystemSettings function, potentially leading to complete system compromise.A critical security vulnerability, CVE-2026-5044, has been identified in Belkin F9K1122 router version 1.00.33. The vulnerability resides within the formSetSystemSettings function of the /goform/formSetSystemSettings file, which is part of the Setting Handler component. Successful exploitation allows a remote attacker to trigger a stack-based buffer overflow by manipulating the webpage argument. This could result in arbitrary code execution on the device. Publicly available exploit code…

]]>criticaladvisorycve-2026-5044buffer-overflowbelkinrouterhttps://feed.craftedsignal.io/briefs/2026-03-belkin-buffer-overflow/Sun, 29 Mar 2026 11:16:34 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-belkin-buffer-overflow/A stack-based buffer overflow vulnerability (CVE-2026-5042) exists in the Belkin F9K1122 router version 1.00.33, allowing remote attackers to execute arbitrary code by manipulating the webpage argument in the formCrossBandSwitch function.A critical stack-based buffer overflow vulnerability, identified as CVE-2026-5042, has been discovered in Belkin F9K1122 routers running firmware version 1.00.33. The vulnerability resides within the formCrossBandSwitch function of the /goform/formCrossBandSwitch file, a component of the Parameter Handler. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread…

]]>criticaladvisorycve-2026-5042buffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-03-tenda-4g06-bo/Sun, 29 Mar 2026 08:15:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-4g06-bo/A stack-based buffer overflow vulnerability (CVE-2026-5036) exists in the fromDhcpListClient function of the Tenda 4G06 router (version 04.06.01.29), potentially allowing remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/DhcpListClient endpoint.A stack-based buffer overflow vulnerability, identified as CVE-2026-5036, affects the Tenda 4G06 router, specifically version 04.06.01.29. The vulnerability resides in the fromDhcpListClient function within the /goform/DhcpListClient endpoint. A remote attacker can exploit this by crafting a malicious request that manipulates the page argument, leading to a buffer overflow on the stack. This could allow the attacker to potentially execute arbitrary code on the device. Given the…

]]>criticaladvisorycve-2026-5036buffer-overflowroutertendahttps://feed.craftedsignal.io/briefs/2026-03-tenda-f453-overflow/Sun, 29 Mar 2026 02:16:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-f453-overflow/A stack-based buffer overflow vulnerability in Tenda F453 1.0.0.3 allows a remote attacker to execute arbitrary code by manipulating the 'delno' argument in the fromPPTPUserSetting function of the /goform/PPTPUserSetting component's httpd process.A stack-based buffer overflow vulnerability, identified as CVE-2026-5021, has been discovered in Tenda F453 router version 1.0.0.3. This vulnerability resides within the fromPPTPUserSetting function of the /goform/PPTPUserSetting component, specifically in the httpd process. The vulnerability can be triggered by manipulating the delno argument. Successful exploitation allows remote attackers to potentially execute arbitrary code on the affected device. Publicly available exploit code…

]]>criticaladvisorycve-2026-5021buffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-03-wavlink-overflow/Sun, 29 Mar 2026 00:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-wavlink-overflow/A stack-based buffer overflow vulnerability exists in Wavlink WL-WN579X3-C 231124's UPNP Handler component, specifically in the /cgi-bin/firewall.cgi file and the sub_4019FC function, allowing remote attackers to execute arbitrary code by manipulating the UpnpEnabled argument; public exploits are available, but the vendor has not responded to the disclosure.A critical vulnerability, identified as CVE-2026-5004, affects the Wavlink WL-WN579X3-C 231124 router. The vulnerability lies within the UPNP Handler component, specifically the /cgi-bin/firewall.cgi file’s sub_4019FC function. By manipulating the UpnpEnabled argument, a remote attacker can trigger a stack-based buffer overflow. This can lead to arbitrary code execution on the device. Public exploits for this vulnerability are available, increasing the risk of widespread exploitation. Despite responsible disclosure attempts, the vendor has not provided a patch or response, leaving users vulnerable. This is a significant concern for network security, especially for devices exposed to the internet.

Attack Chain

1. The attacker identifies a vulnerable Wavlink WL-WN579X3-C 231124 router exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting /cgi-bin/firewall.cgi.
3. The HTTP request includes a manipulated UpnpEnabled argument designed to overflow the buffer in the sub_4019FC function.
4. The vulnerable sub_4019FC function processes the UpnpEnabled argument without proper bounds checking.
5. The buffer overflow occurs, overwriting adjacent memory on the stack, including the return address.
6. The overwritten return address points to attacker-controlled code.
7. Upon function return, execution jumps to the attacker-controlled code, allowing arbitrary commands to be executed.
8. The attacker gains remote code execution, potentially allowing complete control of the device, including network access and data exfiltration.

Impact

Successful exploitation of CVE-2026-5004 allows a remote attacker to execute arbitrary code on the vulnerable Wavlink WL-WN579X3-C 231124 router. This could lead to complete device compromise, including unauthorized network access, data exfiltration, and the potential use of the router as a botnet node. Given the availability of public exploits, a widespread exploitation is possible, affecting potentially thousands of devices. The lack of vendor response exacerbates the risk, as no official patch is available.

Recommendation

• Deploy the Sigma rule Detect Suspicious Firewall CGI Requests to your SIEM and tune for your environment to identify potential exploitation attempts targeting the /cgi-bin/firewall.cgi endpoint.
• Deploy the Sigma rule Detect UPNP Enabled Overflow to detect possible overflows.
• Monitor web server logs for requests to /cgi-bin/firewall.cgi with unusually long UpnpEnabled parameters.
• If possible, isolate Wavlink WL-WN579X3-C 231124 routers from direct internet exposure until a patch is available.

]]>criticaladvisorycvebuffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac15-bo/Sat, 28 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac15-bo/A stack-based buffer overflow vulnerability (CVE-2026-4975) exists in the Tenda AC15 router version 15.03.05.19, allowing remote attackers to execute arbitrary code by manipulating the 'funcpara1' argument in a POST request to /goform/setcfm.CVE-2026-4975 is a critical security vulnerability affecting Tenda AC15 routers running firmware version 15.03.05.19. This vulnerability resides in the formSetCfm function, specifically within the /goform/setcfm file, which handles POST requests. An attacker can exploit a stack-based buffer overflow by sending a crafted POST request with a malicious payload in the funcpara1 argument. The vulnerability is remotely exploitable, meaning an attacker does not need local access to the device…

]]>criticaladvisorytendarouterbuffer overflowcve-2026-4975https://feed.craftedsignal.io/briefs/2026-03-totolink-buffer-overflow/Fri, 27 Mar 2026 21:17:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-totolink-buffer-overflow/A buffer overflow vulnerability in Totolink LR350 version 9.3.5u.6369_B20220309 allows a remote attacker to execute arbitrary code by manipulating the 'ssid' argument in the setWiFiGuestCfg function.A critical buffer overflow vulnerability, CVE-2026-4976, has been identified in Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setWiFiGuestCfg function within the /cgi-bin/cstecgi.cgi file. By crafting a malicious HTTP request and manipulating the ssid argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution on the device. The availability of a public exploit…

]]>criticaladvisorycve-2026-4976buffer-overflowtotolinkrouterremote-code-executionhttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac7-overflow/Fri, 27 Mar 2026 20:16:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac7-overflow/A stack-based buffer overflow vulnerability exists in Tenda AC7 version 15.03.06.44 within the fromSetSysTime function of the /goform/SetSysTimeCfg component's POST Request Handler, allowing a remote attacker to potentially execute arbitrary code by manipulating the 'Time' argument.A stack-based buffer overflow vulnerability has been identified in Tenda AC7 router firmware, specifically version 15.03.06.44. The vulnerability resides in the fromSetSysTime function within the /goform/SetSysTimeCfg component, which handles POST requests. A remote attacker can exploit this flaw by crafting a malicious POST request with an overly long Time argument, causing a buffer overflow on the stack. Publicly available exploits exist, increasing the risk of exploitation. Successful exploitation could lead to arbitrary code execution on the device, potentially granting the attacker complete control over the router. This is a critical vulnerability due to the ease of remote exploitation and the potential for significant impact.

Attack Chain

1. Attacker identifies a Tenda AC7 router running firmware version 15.03.06.44.
2. Attacker crafts a POST request targeting the /goform/SetSysTimeCfg endpoint.
3. The POST request includes the Time argument, set to a string exceeding the expected buffer size.
4. The fromSetSysTime function processes the Time argument without proper bounds checking.
5. The overly long Time argument overflows the stack buffer during the copy operation.
6. The buffer overflow overwrites critical data on the stack, including the return address.
7. The attacker controls the overwritten return address, redirecting execution flow to malicious code.
8. The attacker gains arbitrary code execution on the router, potentially leading to complete device compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda AC7 router. This can lead to a variety of malicious outcomes, including complete device compromise, modification of router settings (DNS, firewall rules), interception of network traffic, and use of the router as a botnet node. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting home users and small businesses.

Recommendation

• Apply available patches or firmware updates provided by Tenda to address CVE-2026-4974.
• Monitor webserver logs for POST requests to /goform/SetSysTimeCfg with abnormally long Time parameters, using the Sigma rule provided below.
• Implement rate limiting on the /goform/SetSysTimeCfg endpoint to mitigate brute-force attempts to exploit the vulnerability.
• Deploy the Sigma rule to detect processes spawned by the webserver after the exploit is triggered.

]]>criticaladvisorycvebuffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac6-overflow/Fri, 27 Mar 2026 17:16:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac6-overflow/A stack-based buffer overflow vulnerability in Tenda AC6 version 15.03.05.16 allows remote attackers to execute arbitrary code by manipulating the WANT/WANS argument in the /goform/WizardHandle POST request handler.A critical stack-based buffer overflow vulnerability has been identified in Tenda AC6 router firmware version 15.03.05.16. The vulnerability, tracked as CVE-2026-4960, resides within the fromWizardHandle function of the /goform/WizardHandle component, which handles POST requests. A remote attacker can exploit this vulnerability by sending a crafted POST request with a manipulated WANT or WANS argument, leading to arbitrary code execution on the device. Public exploit code is available, increasing the risk of widespread exploitation. This vulnerability poses a significant threat, potentially allowing attackers to gain complete control over vulnerable routers and compromise connected networks.

Attack Chain

1. Attacker identifies a Tenda AC6 router running firmware version 15.03.05.16.
2. The attacker crafts a malicious POST request targeting the /goform/WizardHandle endpoint.
3. Within the POST request, the attacker manipulates the WANT or WANS argument to inject a payload exceeding the buffer size.
4. The router processes the POST request, passing the attacker-controlled input to the vulnerable fromWizardHandle function.
5. The overflow occurs when the fromWizardHandle function copies the attacker-supplied data into a fixed-size buffer on the stack without proper bounds checking.
6. The injected payload overwrites adjacent memory locations on the stack, including the return address.
7. When the fromWizardHandle function returns, it jumps to the attacker-controlled address.
8. The attacker gains arbitrary code execution on the router, potentially leading to complete system compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control of the affected Tenda AC6 router. This can lead to a variety of malicious outcomes, including network hijacking, DNS poisoning, interception of network traffic, deployment of malware, and the creation of botnets. Given the widespread use of Tenda routers in home and small business networks, a large number of devices are potentially vulnerable. The CVSS v3.1 score of 8.8 reflects the high severity of this vulnerability.

Recommendation

• Apply any available firmware updates from Tenda to patch CVE-2026-4960.
• Monitor web server logs for suspicious POST requests to /goform/WizardHandle with abnormally long WANT or WANS parameters using the Sigma rule provided below.
• Implement network intrusion detection system (NIDS) rules to detect exploit attempts targeting the /goform/WizardHandle endpoint.
• Restrict access to the router’s web interface from the public internet where possible to reduce the attack surface.

]]>criticaladvisorycve-2026-4960buffer-overflowtendarouterhttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac5-overflow/Fri, 27 Mar 2026 00:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac5-overflow/A stack-based buffer overflow vulnerability (CVE-2026-4905) exists in Tenda AC5 firmware version 15.03.06.47 allowing remote attackers to execute arbitrary code by manipulating the 'index' argument in a POST request to the /goform/WifiWpsOOB endpoint.A stack-based buffer overflow vulnerability, identified as CVE-2026-4905, has been discovered in Tenda AC5 home routers running firmware version 15.03.06.47. The vulnerability resides within the formWifiWpsOOB function in the /goform/WifiWpsOOB file, which handles POST requests. Attackers can remotely exploit this flaw by crafting a malicious POST request to this endpoint, specifically targeting the index argument. Successful exploitation leads to arbitrary code execution on the device…

]]>criticaladvisorybuffer-overflowtendaroutercve-2026-4905https://feed.craftedsignal.io/briefs/2026-03-netcore-rce/Thu, 26 Mar 2026 05:16:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-netcore-rce/CVE-2026-4840 is a critical command injection vulnerability in the Netcore Power 15AX router that allows remote attackers to execute arbitrary OS commands by manipulating the IpAddr argument in the setTools function of the /bin/netis.cgi file.A remote command execution vulnerability, CVE-2026-4840, affects Netcore Power 15AX devices with firmware versions up to 3.0.0.6938. The vulnerability resides in the Diagnostic Tool Interface, specifically within the setTools function of the /bin/netis.cgi file. By manipulating the IpAddr argument, an attacker can inject and execute arbitrary operating system commands on the device. This vulnerability poses a significant risk, as it allows unauthenticated remote attackers to gain complete…

]]>criticaladvisorycommand-injectionrcevulnerabilitynetcorerouterhttps://feed.craftedsignal.io/briefs/2026-03-dlink-command-injection/Tue, 24 Mar 2026 05:16:24 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-dlink-command-injection/CVE-2026-4627 is an OS command injection vulnerability in the handler_update_system_time function of the libdeuteron_modules.so file in the NTP Service component of D-Link DIR-825 and DIR-825R devices, which can be exploited remotely by authenticated attackers.CVE-2026-4627 is an OS command injection vulnerability affecting D-Link DIR-825 and DIR-825R routers, specifically versions 1.0.5 and 4.5.1. The vulnerability resides within the handler_update_system_time function of the libdeuteron_modules.so file, which is part of the NTP service. An attacker with administrative privileges can inject arbitrary OS commands by manipulating the input to this function. The vulnerability can be exploited remotely, allowing a threat actor to potentially gain…

]]>highadvisorycommand-injectionrouterlegacy-devicehttps://feed.craftedsignal.io/briefs/2026-03-tenda-stack-overflow/Mon, 23 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-stack-overflow/A stack-based buffer overflow vulnerability exists in Tenda F453 version 1.0.0.3 in the fromNatlimit function of the /goform/Natlimit Parameters Handler component, triggered remotely by manipulating the 'page' argument, allowing for potential arbitrary code execution.A stack-based buffer overflow vulnerability, tracked as CVE-2026-4553, has been identified in Tenda F453 version 1.0.0.3. The flaw resides within the fromNatlimit function of the /goform/Natlimit component’s Parameters Handler. Publicly available exploits exist, increasing the risk of exploitation. Successful exploitation could allow an attacker to execute arbitrary code on the affected device. This vulnerability poses a significant threat to users of the Tenda F453 router, potentially…

]]>criticaladvisorycve-2026-4553tendabuffer-overflowrouterhttps://feed.craftedsignal.io/briefs/2026-03-tenda-a15-bo/Mon, 23 Mar 2026 03:16:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-a15-bo/A stack-based buffer overflow vulnerability (CVE-2026-4567) exists in the UploadCfg function of the /cgi-bin/UploadCfg file in Tenda A15 firmware version 15.13.07.13, allowing remote attackers to execute arbitrary code by manipulating the File argument.A critical stack-based buffer overflow vulnerability, identified as CVE-2026-4567, has been discovered in Tenda A15 wireless routers running firmware version 15.13.07.13. The vulnerability resides in the UploadCfg function within the /cgi-bin/UploadCfg file, which handles file uploads. A remote attacker can exploit this flaw by crafting a malicious request to the router, specifically targeting the File argument, to overwrite the stack buffer and potentially gain arbitrary code execution…

]]>criticaladvisorycve-2026-4567stack-based buffer overflowtendarouterremote code executionhttps://feed.craftedsignal.io/briefs/2026-03-belkin-rce/Mon, 23 Mar 2026 03:16:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-belkin-rce/A stack-based buffer overflow vulnerability exists in Belkin F9K1122 version 1.00.33, allowing remote attackers to execute arbitrary code by manipulating the 'webpage' argument in the 'formWISP5G' function.A stack-based buffer overflow vulnerability has been discovered in the Belkin F9K1122 router, specifically version 1.00.33. The vulnerability resides within the formWISP5G function located in the /goform/formWISP5G file. Successful exploitation involves manipulating the webpage argument, leading to arbitrary code execution. This vulnerability is remotely exploitable, making it a significant threat. Publicly available exploit code exists, increasing the likelihood of exploitation. The vendor was notified but has not responded, indicating a lack of timely patching. This poses a high risk to users of the affected Belkin router model.

Attack Chain

1. Attacker identifies a vulnerable Belkin F9K1122 router running firmware version 1.00.33.
2. The attacker crafts a malicious HTTP request targeting the /goform/formWISP5G endpoint.
3. Within the HTTP request, the webpage argument is manipulated to contain a payload exceeding the buffer size.
4. The router’s web server processes the request and passes the attacker-controlled input to the formWISP5G function.
5. The formWISP5G function attempts to copy the oversized webpage argument into a fixed-size buffer on the stack.
6. A stack-based buffer overflow occurs, overwriting adjacent memory regions, including the return address.
7. The attacker gains control of the program execution flow by redirecting it to attacker-controlled code.
8. The attacker executes arbitrary code on the router, potentially gaining complete control of the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Belkin F9K1122 router. This can lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the router as a pivot point for further attacks within the network. Given the wide use of these routers in home and small business environments, a successful widespread attack could impact thousands of users. The absence of a vendor patch exacerbates the risk.

Recommendation

• Implement a web application firewall (WAF) rule to detect and block requests with excessively long webpage arguments to the /goform/formWISP5G endpoint, mitigating exploitation attempts (Attack Chain step 3).
• Deploy the Sigma rule provided to detect suspicious web requests targeting the vulnerable endpoint (see “Belkin Router RCE Attempt” rule).
• Monitor web server logs for unusual activity related to the /goform/formWISP5G endpoint (Attack Chain step 4).

]]>criticaladvisorycve-2026-4566buffer-overflowrouterrcehttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac21-buffer-overflow/Mon, 23 Mar 2026 01:16:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac21-buffer-overflow/A buffer overflow vulnerability exists in Tenda AC21 firmware version 16.03.08.16, allowing remote attackers to execute arbitrary code by manipulating arguments to the formSetQosBand function.A critical buffer overflow vulnerability, CVE-2026-4565, affects Tenda AC21 routers running firmware version 16.03.08.16. The flaw resides in the formSetQosBand function within the /goform/SetNetControlList file. Attackers can exploit this vulnerability by crafting malicious argument lists in HTTP requests, leading to arbitrary code execution on the device. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation allows attackers to gain complete control over the router, potentially compromising connected devices and network traffic.

Attack Chain

1. Attacker identifies a vulnerable Tenda AC21 router with firmware version 16.03.08.16.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/SetNetControlList endpoint.
3. The POST request includes a specially crafted argument list designed to overflow the buffer in the formSetQosBand function.
4. The router processes the HTTP request and passes the malicious arguments to the vulnerable function.
5. The formSetQosBand function attempts to copy the oversized argument list into a fixed-size buffer, triggering a buffer overflow.
6. The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
7. The attacker gains control of the program execution flow and injects malicious code.
8. The injected code executes with elevated privileges, granting the attacker complete control over the router.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Tenda AC21 router. This can lead to a variety of malicious outcomes, including: complete device compromise, modification of router settings, interception of network traffic, deployment of malware to connected devices, and use of the router as a botnet node. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploit could impact thousands of users.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/SetNetControlList with unusually long or malformed arguments (see rule: “Detect Suspicious POST Requests to SetNetControlList”).
• Implement rate limiting on HTTP POST requests to prevent attackers from quickly exploiting the vulnerability.
• Deploy the Sigma rule “Detect Tenda AC21 Buffer Overflow Attempt” to identify exploitation attempts based on specific patterns in HTTP requests.
• Consider blocking traffic from known exploit sources, if available.
• Upgrade to a patched firmware version as soon as it becomes available from the vendor.

]]>criticaladvisorytendaac21buffer_overflowcve-2026-4565routerhttps://feed.craftedsignal.io/briefs/2026-02-zyxel-rce/Fri, 27 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-zyxel-rce/A critical command injection vulnerability (CVE-2026-13942) in the UPnP function of Zyxel routers allows remote attackers to execute arbitrary operating system commands by sending crafted UPnP SOAP requests.<p>A critical command injection vulnerability, tracked as CVE-2026-13942, has been discovered in the UPnP (Universal Plug and Play) service of Zyxel routers. The vulnerability stems from insufficient validation of input within the UPnP SOAP request processing. An unauthenticated, remote attacker can exploit this flaw by sending specially crafted UPnP SOAP requests to the affected device. This allows the attacker to inject and execute arbitrary operating system commands with elevated privileges on…</p> criticaladvisoryzyxelroutercommand injectioncve-2026-13942upnphttps://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/A command injection vulnerability (CVE-2026-7096) exists in the Tenda HG3 2.0 300003070 router, allowing remote attackers to execute arbitrary OS commands by manipulating the 'fmgpon_loid' argument in the 'formgponConf' function of the '/boaform/admin/formgponConf' file due to insufficient input validation.A critical command injection vulnerability, identified as CVE-2026-7096, affects Tenda HG3 2.0 300003070 routers. The vulnerability resides in the ‘formgponConf’ function within the ‘/boaform/admin/formgponConf’ file. An attacker can exploit this flaw by manipulating the ‘fmgpon_loid’ argument. Successful exploitation allows a remote attacker to execute arbitrary operating system commands on the affected device. Given the public availability of an exploit, Tenda HG3 devices are at immediate risk of compromise. This poses a significant threat as attackers can potentially gain full control of the router, compromise connected networks, and exfiltrate sensitive information.

Attack Chain

1. The attacker identifies a vulnerable Tenda HG3 2.0 300003070 router with an exposed web interface.
2. The attacker crafts a malicious HTTP POST request targeting the ‘/boaform/admin/formgponConf’ endpoint.
3. The attacker injects a payload containing OS commands into the ‘fmgpon_loid’ parameter of the POST request.
4. The Tenda HG3 router’s web server processes the request without proper input validation of the ‘fmgpon_loid’ parameter.
5. The injected OS command is executed by the router’s operating system with the privileges of the web server process.
6. The attacker gains remote code execution on the Tenda HG3 router.
7. The attacker may establish a reverse shell to maintain persistent access or download further malicious payloads.
8. The attacker can then pivot to internal networks, exfiltrate data, or use the compromised router for other malicious activities.

Impact

Successful exploitation of CVE-2026-7096 grants attackers the ability to execute arbitrary OS commands on the Tenda HG3 router. This can lead to complete compromise of the device, allowing attackers to modify router settings, intercept network traffic, and potentially gain access to connected devices on the local network. Given the widespread use of Tenda routers in home and small business environments, a successful attack could impact thousands of users. The vulnerability’s high CVSS score of 8.8 underscores the severity and potential for widespread damage.

Recommendation

• Deploy the Sigma rule “Detect Tenda HG3 Command Injection Attempt” to your SIEM to identify exploitation attempts by monitoring HTTP POST requests to ‘/boaform/admin/formgponConf’ with suspicious commands in the ‘fmgpon_loid’ parameter.
• Implement network intrusion detection system (NIDS) rules to detect malicious payloads in HTTP POST requests targeting the vulnerable endpoint, as described in the “Attack Chain” section.
• While no specific IOCs are provided, analyze network traffic and web server logs for unusual activity originating from or targeting Tenda HG3 routers.
• Monitor web server logs for HTTP POST requests to /boaform/admin/formgponConf (described in Attack Chain step 2).

]]>criticaladvisorycommand-injectionroutertendahttps://feed.craftedsignal.io/briefs/2024-01-tenda-fh1202-bo/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-fh1202-bo/A stack-based buffer overflow vulnerability exists in the Tenda FH1202 router, specifically in the WrlExtraSet function, allowing remote attackers to execute arbitrary code by manipulating the 'Go' argument in a request to /goform/WrlExtraSet.A critical stack-based buffer overflow vulnerability, identified as CVE-2026-7034, has been discovered in Tenda FH1202 version 1.2.0.14(408). The vulnerability resides within the WrlExtraSet function of the /goform/WrlExtraSet component, which is part of the device’s httpd server. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the Go argument, leading to arbitrary code execution on the affected device. The exploit for this vulnerability has been made public, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to users of the Tenda FH1202 router as it allows for complete compromise of the device.

Attack Chain

1. The attacker identifies a vulnerable Tenda FH1202 router exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/WrlExtraSet endpoint.
3. The crafted request includes a Go parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow.
4. The overflow overwrites critical return addresses on the stack.
5. The overwritten return address is redirected to malicious code injected by the attacker within the overflowed buffer.
6. The injected code executes with the privileges of the httpd process.
7. The attacker gains complete control of the device, potentially allowing for the installation of malware, modification of router settings, or interception of network traffic.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control of the Tenda FH1202 router. This can lead to a variety of malicious activities, including installing persistent backdoors, modifying DNS settings to redirect traffic, or using the compromised device as part of a botnet. The lack of required authentication for exploitation increases the severity, making it easily exploitable. While the exact number of affected devices is unknown, the widespread use of Tenda routers suggests a potentially large number of vulnerable targets.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/WrlExtraSet with unusually long Go parameter values to detect potential exploitation attempts. Reference the Sigma rule Detect Suspicious WrlExtraSet Requests.
• Implement rate limiting for requests to the /goform/WrlExtraSet endpoint to mitigate brute-force exploitation attempts.
• Consider blocking or alerting on requests to /goform/WrlExtraSet originating from outside the expected user base (e.g., requests originating from outside the country where the organization operates).

]]>criticaladvisorycve-2026-7034buffer-overflowroutertendahttps://feed.craftedsignal.io/briefs/2024-01-tenda-f456-buffer-overflow/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-f456-buffer-overflow/A remote buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 via manipulation of the 'page' argument in the fromDhcpListClient function of the /goform/DhcpListClient component, potentially leading to arbitrary code execution.A critical buffer overflow vulnerability, identified as CVE-2026-7098, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides within the fromDhcpListClient function of the /goform/DhcpListClient component’s httpd service. An attacker can exploit this flaw by remotely manipulating the page argument, leading to a buffer overflow. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could allow an attacker to execute arbitrary code on the device, potentially gaining full control of the router and the network it serves. This poses a significant threat to home and small business users relying on these routers.

Attack Chain

1. Attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) accessible over the network.
2. The attacker crafts a malicious HTTP request targeting the /goform/DhcpListClient endpoint.
3. The crafted request includes a page argument with a payload designed to overflow the buffer in the fromDhcpListClient function.
4. The httpd service processes the request and calls the fromDhcpListClient function.
5. Due to insufficient bounds checking, the oversized payload overwrites the buffer, potentially overwriting adjacent memory regions.
6. The attacker’s payload overwrites the return address on the stack with a pointer to attacker-controlled code.
7. The fromDhcpListClient function returns, causing execution to jump to the attacker-controlled code.
8. The attacker-controlled code executes with the privileges of the httpd service, potentially allowing for full control of the device.

Impact

Successful exploitation of this vulnerability can allow a remote attacker to execute arbitrary code on the Tenda F456 router. This could lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the router as a pivot point for further attacks within the network. Given the ease of exploitation and public availability of exploit code, a large number of Tenda F456 users are at risk.

Recommendation

• Monitor web server logs for suspicious requests to /goform/DhcpListClient with unusually long page parameters to detect potential exploitation attempts (see Sigma rule “Detect Tenda F456 Buffer Overflow Attempt”).
• Implement rate limiting on requests to the /goform/DhcpListClient endpoint to mitigate the impact of potential attacks.
• Deploy the Sigma rule “Detect Tenda F456 Buffer Overflow Response” to identify successful exploitation attempts based on server response codes.

]]>criticaladvisorycve-2026-7098buffer-overflowrouter