Tenda — CraftedSignal Threat Feed

Tenda 4G300 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 03:16:01 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda 4G300 routers, specifically version US_4G300V1.0Mt_V1.01.42_CN_TDC01. The vulnerability resides within the sub_427C3C function located in the /goform/SafeMacFilter file. An attacker can exploit this flaw by manipulating the page argument in a crafted request, leading to a buffer overflow and potentially allowing for arbitrary code execution on the affected device. The vulnerability, identified as CVE-2026-7470, poses a significant risk as remote exploitation is possible, and a proof-of-concept exploit is publicly available, increasing the likelihood of malicious actors leveraging this vulnerability.

Attack Chain

The attacker identifies a Tenda 4G300 router running the vulnerable firmware version US_4G300V1.0Mt_V1.01.42_CN_TDC01.
The attacker crafts a malicious HTTP POST request targeting the /goform/SafeMacFilter endpoint.
The crafted request includes the page argument with a payload exceeding the buffer size allocated for it within the sub_427C3C function.
The router processes the HTTP request, passing the oversized page argument to the vulnerable function.
The sub_427C3C function attempts to write the oversized data into a stack-based buffer, causing a buffer overflow.
The buffer overflow overwrites adjacent memory on the stack, including the return address.
The attacker redirects execution flow to a malicious code payload injected into the request or elsewhere in memory.
The injected code executes with the privileges of the router process, potentially allowing the attacker to gain full control of the device.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda 4G300 router. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the router as a launching point for further attacks against other devices on the network or the internet. Given the widespread use of these routers in homes and small businesses, a successful attack could impact a large number of users.

Recommendation

Monitor web server logs for unusual POST requests to /goform/SafeMacFilter with abnormally long page parameters. Use the provided Sigma rule to detect suspicious activity.
Implement rate limiting on the /goform/SafeMacFilter endpoint to mitigate potential brute-force exploitation attempts.
Apply any available patches or firmware updates released by Tenda to address CVE-2026-7470.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Tenda W308R DNS Hijacking Vulnerability (CVE-2018-25316)

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:27 +0000

Tenda W308R v2 running firmware V5.07.48 is susceptible to a cookie session weakness (CVE-2018-25316) that enables unauthenticated attackers to perform DNS hijacking. This vulnerability stems from insufficient session validation. An attacker can exploit this weakness by sending specially crafted GET requests to the goform/AdvSetDns endpoint. The malicious request includes a crafted admin language cookie, which bypasses authentication checks and allows modification of the device’s DNS server settings. Successful exploitation allows the attacker to redirect the router’s DNS queries to a malicious server under their control. This poses a significant risk to end-users, as it can lead to phishing attacks, malware distribution, and other malicious activities.

Attack Chain

The attacker identifies a vulnerable Tenda W308R v2 router running firmware V5.07.48 exposed to the internet.
The attacker crafts a malicious HTTP GET request targeting the goform/AdvSetDns endpoint.
The GET request includes a crafted “admin language cookie” designed to bypass authentication.
The router receives the malicious GET request and, due to insufficient session validation, incorrectly authenticates the attacker.
The router processes the malicious request, modifying the DNS server settings to attacker-controlled DNS servers.
Users connected to the compromised router now resolve domain names through the attacker’s DNS server.
The attacker’s DNS server redirects users to malicious websites, potentially serving malware or phishing pages.
Users unknowingly interact with the malicious content, leading to data theft, system compromise, or other harmful outcomes.

Impact

Successful exploitation of this vulnerability allows an attacker to control DNS resolution for all devices connected to the affected Tenda W308R v2 router. This can lead to widespread redirection to phishing sites designed to steal credentials, or to sites hosting malware that infects user devices. Given the widespread use of Tenda routers, this vulnerability could impact a large number of home and small business networks. A successful attack allows the attacker to perform man-in-the-middle attacks, eavesdrop on network traffic, and compromise connected devices.

Recommendation

Deploy the Sigma rule Detect Tenda Router DNS Hijack Attempt to identify attempts to exploit this vulnerability by monitoring for suspicious requests to the /goform/AdvSetDns endpoint (log source: webserver).
Monitor web server logs for requests containing a crafted admin language cookie to the /goform/AdvSetDns endpoint, indicating potential exploitation attempts (log source: webserver).
Apply available patches or firmware updates from Tenda to address the cookie session weakness and prevent unauthorized DNS modifications.
Consider replacing the affected device if a patch is unavailable, especially in high-risk environments.

Tenda HG3 v2.0 Stack-Based Buffer Overflow in formUploadConfig

hello@craftedsignal.io — Tue, 28 Apr 2026 12:00:00 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda HG3 version 2.0. The vulnerability exists within the formUploadConfig function of the /boaform/formIPv6Routing file. A remote attacker can exploit this by manipulating the destNet argument, potentially leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-7151, has a publicly available exploit, increasing the risk of exploitation. This poses a significant threat to users of Tenda HG3 v2.0 routers, potentially allowing attackers to gain unauthorized access and control over the device. The CVSS v3.1 score is rated as 8.8 (HIGH).

Attack Chain

Attacker identifies a Tenda HG3 v2.0 router with default or known credentials, or no authentication at all.
The attacker sends a crafted HTTP POST request to /boaform/formIPv6Routing.
The request targets the formUploadConfig function.
The destNet argument within the HTTP POST data is manipulated with a string exceeding the buffer size.
The formUploadConfig function processes the oversized destNet argument without proper bounds checking.
This causes a stack-based buffer overflow, overwriting adjacent memory regions on the stack.
The attacker gains arbitrary code execution on the device by overwriting the return address or other critical data on the stack.
The attacker can then leverage this to gain full control of the device, potentially modifying settings, injecting malware, or using it as part of a botnet.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda HG3 v2.0 router. This could lead to complete compromise of the device, allowing the attacker to monitor network traffic, change router settings, or use the device as a launchpad for further attacks against other devices on the network. Given the potential for widespread exploitation due to the publicly available exploit, a large number of Tenda HG3 v2.0 users are at risk.

Recommendation

Monitor web server logs for unusual POST requests to /boaform/formIPv6Routing with excessively long destNet parameters to detect potential exploit attempts (see example Sigma rule below).
Implement rate limiting for requests to /boaform/formIPv6Routing to mitigate brute-force exploitation attempts.
Apply available patches or firmware updates from Tenda to address CVE-2026-7151 on vulnerable HG3 2.0 devices.
Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting the destNet parameter in /boaform/formIPv6Routing.

Tenda HG3 2.0 Command Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 22:16:18 +0000

Tenda HG3 2.0 is vulnerable to a command injection vulnerability (CVE-2026-7160) affecting the formTracert function in the /boaform/formTracert file. A remote attacker can exploit this by manipulating the datasize argument to inject arbitrary commands into the system. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. Public disclosure and potential exploitation make this a critical issue for users of the Tenda HG3 2.0 router. Successful exploitation allows an attacker to execute arbitrary commands on the device, potentially leading to complete system compromise.

Attack Chain

The attacker identifies a vulnerable Tenda HG3 2.0 router with an exposed web interface.
The attacker crafts a malicious HTTP request targeting the /boaform/formTracert endpoint.
The malicious request includes a manipulated datasize argument designed to inject a command.
The web server processes the request and passes the manipulated datasize argument to the formTracert function.
The formTracert function fails to properly sanitize the input, allowing the injected command to be executed by the system.
The injected command executes with the privileges of the web server process.
The attacker gains arbitrary code execution on the router.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on the Tenda HG3 2.0 router. This can lead to complete compromise of the device, including modification of router settings, interception of network traffic, and potential use of the router as a botnet node. Given the high base score of 8.8, this poses a significant risk to affected users.

Recommendation

Apply available patches or firmware updates provided by Tenda to address CVE-2026-7160.
Monitor web server logs for suspicious POST requests to /boaform/formTracert with unusual datasize parameters, as covered by the Sigma rule “Detect Tenda HG3 Command Injection Attempt”.
Implement network intrusion detection system (IDS) rules to detect and block exploit attempts targeting this vulnerability.

Tenda F456 Router Buffer Overflow Vulnerability (CVE-2026-7101)

hello@craftedsignal.io — Mon, 27 Apr 2026 09:19:31 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7101, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromWrlclientSet function within the /goform/WrlclientSet file, which is part of the router’s httpd component. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to home and small business networks using the affected Tenda router model, potentially leading to complete device compromise and unauthorized network access. The vulnerability was published on 2026-04-27 and is tracked by VulDB.

Attack Chain

An attacker identifies a vulnerable Tenda F456 router running firmware version 1.0.0.5.
The attacker crafts a malicious HTTP request targeting the /goform/WrlclientSet endpoint.
The crafted request includes an oversized payload designed to overflow the buffer in the fromWrlclientSet function.
The httpd process attempts to process the request without proper bounds checking.
The buffer overflow occurs, overwriting adjacent memory regions, including critical program data and execution pointers.
The attacker gains control of the program execution flow.
The attacker executes arbitrary code on the router, potentially including shell commands or custom malware.
The attacker achieves complete control of the router, potentially enabling network reconnaissance, data exfiltration, or further attacks on the local network.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda F456 router. This can lead to complete device compromise, allowing the attacker to control network traffic, modify router settings, or use the compromised device as a pivot point for further attacks within the network. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploitation could impact thousands of users.

Recommendation

Upgrade to a patched firmware version if available from the vendor.
Implement network segmentation to limit the impact of a compromised router.
Monitor web server logs for suspicious activity targeting the /goform/WrlclientSet endpoint using the provided Sigma rule.
Implement an IPS rule to detect and block exploit attempts targeting CVE-2026-7101.

Tenda i9 Path Traversal Vulnerability (CVE-2026-7036)

hello@craftedsignal.io — Sun, 26 Apr 2026 12:16:22 +0000

A path traversal vulnerability, identified as CVE-2026-7036, exists in Tenda i9 version 1.0.0.5(2204). Specifically, the vulnerability resides in the R7WebsSecurityHandlerfunction of the HTTP Handler component. This flaw allows a remote, unauthenticated attacker to potentially access sensitive files and directories on the affected device. The vulnerability was reported on 2026-04-26, and a public exploit is reportedly available, increasing the risk of exploitation. This poses a significant threat to organizations using the affected Tenda i9 router, as it could lead to unauthorized access to sensitive information or system compromise.

Attack Chain

An attacker identifies a Tenda i9 router running firmware version 1.0.0.5(2204) accessible over the network.
The attacker crafts a malicious HTTP request targeting the vulnerable R7WebsSecurityHandlerfunction.
The crafted request includes a path traversal sequence (e.g., “../”) within the URL or request parameters.
The Tenda i9 router processes the malicious request without proper sanitization of the path.
The R7WebsSecurityHandlerfunction incorrectly interprets the path traversal sequence, allowing access to files or directories outside the intended web root.
The attacker gains unauthorized access to sensitive files, such as configuration files or system logs.
The attacker may use the exposed information to further compromise the device or the network it is connected to.
The attacker could potentially modify system files or execute commands, leading to full device compromise.

Impact

Successful exploitation of CVE-2026-7036 can lead to unauthorized access to sensitive files on the Tenda i9 router. This includes configuration files containing credentials, system logs, or other confidential data. An attacker could leverage this access to gain further control of the device, potentially leading to a complete system compromise. While the number of affected devices is currently unknown, given the widespread use of Tenda routers, the potential impact could be significant.

Recommendation

Deploy the provided Sigma rule to detect HTTP requests containing path traversal sequences targeting web servers to detect exploitation attempts (Sigma rule: “Detect Tenda i9 Path Traversal Attempt”).
Since the source mentions a public exploit exists, prioritize patching or replacing vulnerable Tenda i9 routers to remediate CVE-2026-7036 immediately, if a patch becomes available.
Monitor web server logs for unusual file access patterns or requests containing suspicious path traversal sequences.
Implement web application firewall (WAF) rules to block requests containing path traversal sequences.

Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Buffer Overflow Vulnerability

hello@craftedsignal.io — Sat, 25 Apr 2026 18:18:16 +0000

A buffer overflow vulnerability, identified as CVE-2026-6988, has been discovered in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon. The vulnerability resides within the Boa Service, specifically affecting the formRoute function located in the /boaform/formRouting file. Successful exploitation of this flaw enables a remote attacker to overwrite memory by crafting a malicious request with a manipulated nextHop argument. This can lead to arbitrary code execution on the affected device. Given the potential for remote exploitation and the availability of a published exploit, this vulnerability poses a significant threat.

Attack Chain

The attacker identifies a vulnerable Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device with the vulnerable Boa web service exposed.
The attacker crafts a malicious HTTP request targeting the /boaform/formRouting endpoint.
The crafted request includes a specially crafted nextHop argument, exceeding the buffer size allocated for it.
The Boa service processes the request without proper bounds checking on the nextHop argument.
The oversized nextHop argument overwrites adjacent memory regions, including critical program data or return addresses.
The overwritten return address redirects execution flow to attacker-controlled code.
The attacker executes arbitrary code on the device with the privileges of the Boa service.
The attacker gains control of the device, potentially leading to data exfiltration, device hijacking, or further network compromise.

Impact

Successful exploitation of CVE-2026-6988 can lead to complete compromise of the affected Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device. This may result in unauthorized access to the device’s configuration, sensitive data exposure, or the device being used as a bot in a larger attack. Given that this device is likely used in home or small business environments, a successful attack could lead to significant data breaches, financial losses, and reputational damage. The availability of a public exploit increases the likelihood of widespread exploitation.

Recommendation

Apply available patches or firmware updates released by Tenda to address CVE-2026-6988 as soon as possible.
Implement network segmentation to limit the exposure of Tenda devices to the internet or untrusted networks.
Monitor web server logs for suspicious activity targeting the /boaform/formRouting endpoint to detect potential exploit attempts (webserver log source).
Deploy the Sigma rule “Detect Tenda HG10 Buffer Overflow Attempt” to identify malicious HTTP requests exploiting the nextHop argument (Sigma rule).
Implement rate limiting on the /boaform/formRouting endpoint to mitigate potential brute-force exploitation attempts.

Tenda F451 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 20 Apr 2026 11:16:19 +0000

CVE-2026-6631 is a critical buffer overflow vulnerability affecting Tenda F451 routers running firmware version 1.0.0.7_cn_svn7958. The vulnerability resides in the fromwebExcptypemanFilter function within the /goform/webExcptypemanFilter component of the router’s httpd web server. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request with an overly long ‘page’ parameter. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows attackers to execute arbitrary code on the router, potentially leading to full device compromise and network access.

Attack Chain

Attacker identifies a vulnerable Tenda F451 router exposed to the internet.
Attacker crafts a malicious HTTP GET or POST request targeting /goform/webExcptypemanFilter.
The crafted request includes the page parameter with a payload exceeding the buffer size allocated for it.
The httpd server processes the request and passes the page parameter to the vulnerable fromwebExcptypemanFilter function.
Due to the lack of proper bounds checking, the overly long page parameter overwrites adjacent memory regions on the stack.
The attacker carefully designs the overflow payload to overwrite the return address on the stack with the address of malicious code injected elsewhere in memory.
The fromwebExcptypemanFilter function completes execution and attempts to return, jumping to the attacker-controlled address.
The attacker’s malicious code executes with the privileges of the httpd server, potentially gaining full control of the router.

Impact

Successful exploitation of CVE-2026-6631 allows remote attackers to execute arbitrary code on vulnerable Tenda F451 routers. This can lead to complete device compromise, allowing attackers to modify router settings, intercept network traffic, or use the router as a point of entry for further attacks on the internal network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting both home and small business networks. The availability of public exploits further increases the likelihood of exploitation.

Recommendation

Apply available firmware updates from Tenda to patch CVE-2026-6631.
Monitor web server logs for suspicious requests to /goform/webExcptypemanFilter with unusually long page parameters, using the Sigma rule DetectTendaF451BufferOverflow.
Implement network intrusion detection systems (IDS) to detect and block exploit attempts targeting CVE-2026-6631.
Consider deploying the Sigma rule DetectTendaF451SuspiciousProcess to identify unexpected processes spawned by the httpd daemon.
If patching is not immediately feasible, consider restricting access to the router’s web interface from the public internet to mitigate the risk of remote exploitation.

Tenda F451 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 12:00:00 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda F451 router firmware version 1.0.0.7. The vulnerability resides in the fromDhcpListClient function within the /goform/DhcpListClient component’s httpd service. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious page argument. This can lead to arbitrary code execution on the device. Given the public availability of the exploit (CVE-2026-6120), Tenda F451 routers are at immediate risk of compromise if not properly secured. This vulnerability poses a significant threat due to the widespread use of Tenda routers in home and small office environments.

Attack Chain

Attacker identifies a Tenda F451 router running vulnerable firmware version 1.0.0.7.
The attacker crafts a malicious HTTP GET or POST request targeting the /goform/DhcpListClient endpoint.
The crafted request includes a page argument with a string exceeding the buffer size allocated for it in the fromDhcpListClient function.
The httpd service on the router receives the malicious request and passes the page argument to the vulnerable function.
The fromDhcpListClient function attempts to copy the oversized page argument into a fixed-size buffer on the stack, causing a buffer overflow.
The overflow overwrites adjacent stack memory, including the return address of the function.
The attacker controls the overwritten return address, redirecting execution to attacker-controlled code or a ROP chain.
The attacker gains arbitrary code execution on the router, potentially leading to complete device compromise and network access.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda F451 router. This allows attackers to control the device, intercept network traffic, change DNS settings, inject malicious scripts into web pages served to connected devices, or use the router as a pivot point for further attacks within the network. This vulnerability affects all users of the Tenda F451 router running firmware version 1.0.0.7, potentially impacting thousands of devices globally. Given the high CVSS score of 8.8, the risk is substantial.

Recommendation

Monitor web server logs for suspicious requests targeting the /goform/DhcpListClient endpoint, especially those with unusually long page parameters (refer to the rule Tenda F451 Suspicious URI Length).
Inspect network traffic for abnormal patterns related to compromised routers (unusual DNS requests, connections to known malicious IPs).
Implement rate limiting and input validation on web server endpoints where possible to mitigate buffer overflow attempts.
Apply any available firmware updates from Tenda to patch CVE-2026-6120, although patches may not be available.
Consider deploying network intrusion detection systems (NIDS) to identify and block exploitation attempts (refer to the Tenda F451 Buffer Overflow Attempt rule).

Tenda F451 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 08:16:37 +0000

A critical stack-based buffer overflow vulnerability has been identified in Tenda F451 router version 1.0.0.7. The vulnerability resides within the frmL7ProtForm function of the /goform/L7Prot component, specifically within the httpd service. A remote attacker can exploit this flaw by crafting a malicious request targeting the page argument. Successful exploitation allows the attacker to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected devices, potentially leading to full device compromise.

Attack Chain

Attacker identifies a vulnerable Tenda F451 router running firmware version 1.0.0.7.
Attacker crafts a malicious HTTP GET or POST request targeting the /goform/L7Prot endpoint.
The malicious request includes the page argument with a payload exceeding the buffer size allocated for it within the frmL7ProtForm function.
The httpd service processes the request without proper bounds checking on the page argument.
The oversized payload overflows the stack buffer during the execution of the frmL7ProtForm function.
The buffer overflow overwrites adjacent memory regions on the stack, including the return address.
The attacker-controlled return address redirects execution to attacker-supplied code or a return-oriented programming (ROP) chain.
The attacker executes arbitrary code on the router, potentially gaining full control of the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F451 router. This can lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the device as a bot in a botnet. Given the availability of public exploits, vulnerable devices are at high risk of compromise. The number of potentially affected devices is substantial, as the Tenda F451 is a widely used router model.

Recommendation

Monitor web server logs for requests to /goform/L7Prot with unusually long page parameters, deploying the Sigma rule Detect Tenda F451 Buffer Overflow Attempt to identify potential exploitation attempts.
Since no patch is available, consider replacing the Tenda F451 1.0.0.7 with a more secure router or firewall solution.
Implement network segmentation to limit the impact of a compromised router on other network devices.
Disable remote administration access to the router to reduce the attack surface.

Tenda F451 Stack-Based Buffer Overflow Vulnerability (CVE-2026-6121)

hello@craftedsignal.io — Sun, 12 Apr 2026 08:16:36 +0000

CVE-2026-6121 is a stack-based buffer overflow vulnerability affecting Tenda F451 router version 1.0.0.7. The vulnerability resides within the WrlclientSet function located in the /goform/WrlclientSet file of the httpd component. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the affected router, specifically manipulating the GO argument. Due to insufficient bounds checking on the GO argument’s size when passed to the WrlclientSet function, an attacker can write beyond the allocated buffer on the stack, potentially leading to arbitrary code execution. Publicly available exploits exist, increasing the risk of widespread exploitation. Routers that are accessible from the internet are at highest risk.

Attack Chain

Attacker identifies a Tenda F451 router version 1.0.0.7 exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/WrlclientSet endpoint.
Within the HTTP POST request, the attacker includes the GO argument, filling it with a payload exceeding the buffer size allocated for it within the WrlclientSet function.
The httpd component of the Tenda F451 router receives the HTTP request and passes the GO argument to the vulnerable WrlclientSet function.
Due to the buffer overflow, the attacker’s payload overwrites adjacent memory locations on the stack.
The attacker’s payload overwrites the return address on the stack, redirecting execution flow to attacker-controlled code.
The attacker-controlled code executes with the privileges of the httpd process, allowing the attacker to perform actions such as modifying router configuration, executing system commands, or establishing a reverse shell.
The attacker gains persistent access to the router and potentially the internal network.

Impact

Successful exploitation of CVE-2026-6121 can lead to complete compromise of the affected Tenda F451 router. An attacker can gain unauthorized access to the device’s configuration, potentially modifying DNS settings, firewall rules, or other critical parameters. This can lead to redirection of user traffic, denial-of-service attacks, or the establishment of a foothold within the targeted network for further malicious activities. Given the ease of exploitation due to the publicly available exploit code, a large number of Tenda F451 routers could be compromised.

Recommendation

Monitor web server logs for POST requests to /goform/WrlclientSet with abnormally long GO parameter values to detect potential exploitation attempts (see Sigma rule below and enable webserver logging).
Implement rate limiting for requests to the /goform/WrlclientSet endpoint to mitigate potential brute-force exploitation attempts (configure your firewall or WAF).
Upgrade to a patched firmware version when available or replace the affected devices, if the vendor does not provide a fix.

Tenda F451 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 10 Apr 2026 00:16:36 +0000

A critical vulnerability, identified as CVE-2026-5989, affects the Tenda F451 router, specifically version 1.0.0.7. The vulnerability lies within the fromRouteStatic function of the /goform/RouteStatic file. By manipulating the page argument, a remote attacker can trigger a stack-based buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat as it allows unauthenticated remote attackers to compromise the router, potentially leading to network disruption, data theft, or use of the device in botnet activities.

Attack Chain

The attacker identifies a vulnerable Tenda F451 router (version 1.0.0.7) exposed to the internet.
The attacker crafts a malicious HTTP request targeting the /goform/RouteStatic endpoint.
The request includes a page argument with a payload designed to overflow the stack buffer in the fromRouteStatic function.
The vulnerable fromRouteStatic function processes the malicious page argument without proper bounds checking.
The buffer overflow overwrites critical data on the stack, including the return address.
Upon function return, control is redirected to the attacker-controlled memory region.
The attacker executes arbitrary code injected into the overflowed buffer, such as downloading and executing a reverse shell.
The attacker gains remote access to the router, potentially allowing further exploitation or network compromise.

Impact

Successful exploitation of CVE-2026-5989 allows an attacker to gain complete control of the Tenda F451 router. This can lead to a variety of damaging outcomes, including denial-of-service attacks against the local network, interception of network traffic, modification of router settings, and the potential use of the compromised router as a node in a botnet. Given the widespread use of Tenda routers in home and small business environments, a large number of devices could be at risk if this vulnerability is actively exploited.

Recommendation

Monitor web server logs for requests to /goform/RouteStatic containing abnormally long page arguments, as this is indicative of potential exploit attempts. Deploy the Sigma rule Detect Tenda F451 Exploit Attempt to detect these malicious requests.
Implement rate limiting on requests to the /goform/RouteStatic endpoint to mitigate potential denial-of-service attacks.
Since there is no patch available, consider replacing vulnerable Tenda F451 routers with more secure devices from other vendors.

Tenda AC15 Router Stack-Based Buffer Overflow (CVE-2026-5830)

hello@craftedsignal.io — Thu, 09 Apr 2026 02:16:17 +0000

A critical stack-based buffer overflow vulnerability, tracked as CVE-2026-5830, has been identified in Tenda AC15 routers running firmware version 15.03.05.18. The vulnerability resides in the websGetVar function within the /goform/SysToolChangePwd file, which handles password change requests. By crafting malicious requests and manipulating the oldPwd, newPwd, or cfmPwd arguments, an attacker can overwrite the stack, potentially leading to arbitrary code execution. The vulnerability is remotely exploitable by an authenticated user, and publicly available exploit code exists, increasing the risk of widespread exploitation. This poses a significant threat to home and small business networks using affected Tenda AC15 routers.

Attack Chain

An attacker gains unauthorized access to the router’s web management interface, potentially through weak credentials or brute-forcing.
The attacker crafts a malicious HTTP POST request to /goform/SysToolChangePwd.
The crafted request includes oversized data within the oldPwd, newPwd, or cfmPwd parameters.
The websGetVar function processes the request without proper bounds checking.
The oversized data overflows the stack buffer, overwriting adjacent memory regions.
The attacker carefully crafts the overflow to overwrite the return address on the stack.
The websGetVar function returns, diverting execution to the attacker-controlled address.
The attacker-controlled address contains shellcode that executes arbitrary commands, potentially granting complete control over the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda AC15 router. This could lead to complete device compromise, including unauthorized access to network traffic, modification of router settings, installation of malware, and use of the compromised device as a botnet node. Given the potentially widespread use of Tenda AC15 routers in home and small business environments, a large number of devices could be vulnerable.

Recommendation

Apply available patches from Tenda to remediate CVE-2026-5830 as soon as they become available.
Monitor webserver logs for suspicious POST requests to /goform/SysToolChangePwd with unusually long oldPwd, newPwd, or cfmPwd parameters and deploy the Sigma rule Detect Tenda AC15 Password Change Overflow.
Implement strong password policies and multi-factor authentication to prevent unauthorized access to the router’s web management interface.
Restrict access to the router’s web management interface to trusted networks only by configuring firewall rules.

Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-5686)

hello@craftedsignal.io — Mon, 06 Apr 2026 22:16:24 +0000

CVE-2026-5686 is a critical vulnerability affecting Tenda CX12L routers running firmware version 16.03.53.12. This stack-based buffer overflow is located in the fromRouteStatic function within the /goform/RouteStatic file. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request with a malicious page argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could lead to arbitrary code execution, potentially allowing attackers to gain full control of the affected router. This poses a significant risk to home and small business networks using the vulnerable device.

Attack Chain

The attacker identifies a Tenda CX12L router running firmware version 16.03.53.12.
The attacker sends a crafted HTTP POST request to /goform/RouteStatic.
The request includes a page argument with a string exceeding the buffer size allocated to the fromRouteStatic function.
The oversized page argument overwrites adjacent memory on the stack, including the return address.
When the fromRouteStatic function returns, it attempts to jump to the overwritten return address controlled by the attacker.
The attacker’s payload, injected via the overflowed buffer, is executed with the privileges of the httpd process.
The attacker gains remote code execution on the router.
The attacker can then use the compromised router as a foothold for further attacks, such as network reconnaissance, lateral movement, or data exfiltration.

Impact

Successful exploitation of CVE-2026-5686 allows a remote attacker to execute arbitrary code on the affected Tenda CX12L router. This could lead to a complete compromise of the device, enabling attackers to modify router settings, intercept network traffic, or use the router as a proxy for malicious activities. Given the widespread use of Tenda routers in home and small business networks, this vulnerability could have a significant impact, potentially affecting thousands of users. A successful attack could lead to data breaches, service disruptions, and further compromise of connected devices within the network.

Recommendation

Apply available patches or firmware updates provided by Tenda to address CVE-2026-5686.
Monitor web server logs for suspicious POST requests to /goform/RouteStatic with unusually long page parameters, using the provided Sigma rule.
Implement network intrusion detection systems (IDS) to detect and block exploit attempts targeting this vulnerability.
Restrict access to the router’s administrative interface to trusted networks or IP addresses to limit the attack surface.
Regularly review router configurations and security settings to ensure they align with best practices.

Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 22:16:24 +0000

A critical stack-based buffer overflow vulnerability has been identified in Tenda CX12L routers running firmware version 16.03.53.12. The vulnerability resides within the fromwebExcptypemanFilter function in the /goform/webExcptypemanFilter file. An attacker with local network access can exploit this flaw by manipulating the page argument passed to this function, leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-5684, has a CVSS v3.1 score of 8.0, indicating a high severity. Public exploits for this vulnerability are available, making it crucial for network administrators to address this issue promptly. Successful exploitation could allow an attacker to gain complete control of the router, potentially leading to data theft, network compromise, or denial of service.

Attack Chain

Attacker gains access to the local network where the Tenda CX12L router is located.
The attacker crafts a malicious HTTP request targeting the /goform/webExcptypemanFilter endpoint.
The crafted request includes a page argument with a payload exceeding the buffer size allocated for it within the fromwebExcptypemanFilter function.
The router processes the HTTP request and passes the overly long page argument to the vulnerable function.
The fromwebExcptypemanFilter function attempts to write the contents of the page argument into a fixed-size buffer on the stack.
Due to the excessive length of the page argument, the buffer overflows, overwriting adjacent memory regions on the stack.
The attacker leverages the buffer overflow to overwrite the return address on the stack with the address of malicious code or a ROP chain.
When the fromwebExcptypemanFilter function returns, control is transferred to the attacker-controlled code, allowing for arbitrary code execution.

Impact

Successful exploitation of CVE-2026-5684 allows an attacker with local network access to gain complete control of the affected Tenda CX12L router. This can lead to a variety of malicious activities, including unauthorized access to network traffic, modification of router settings, deployment of malicious firmware, and use of the compromised router as a botnet node. Given the availability of public exploits, organizations using this router model are at significant risk. The number of potential victims is dependent on the number of unpatched Tenda CX12L devices deployed.

Recommendation

Monitor webserver logs for HTTP requests targeting the /goform/webExcptypemanFilter endpoint with abnormally long page parameters to detect potential exploitation attempts. (Log Source: webserver, Rule: “Detect Tenda CX12L Web Request with Long Page Parameter”)
Deploy the Sigma rule “Detect Tenda CX12L Stack Buffer Overflow Attempt” to identify suspicious process creations following a potential exploit.
Review and restrict local network access to the Tenda CX12L router to reduce the attack surface, as the exploit requires local network access.
Contact Tenda for a security patch or firmware update to address CVE-2026-5684.

Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 12:00:00 +0000

A critical vulnerability, identified as CVE-2026-5605, affects Tenda CH22 router version 1.0.0.1. This flaw resides in the formWrlExtraSet function within the /goform/WrlExtraSet file. A remote, unauthenticated attacker can exploit a stack-based buffer overflow by sending a crafted HTTP request with a malicious value for the GO argument. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows the attacker to potentially execute arbitrary code on the device, leading to a complete compromise of the router and the network it serves.

Attack Chain

The attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1.
The attacker crafts a malicious HTTP POST request targeting the /goform/WrlExtraSet endpoint.
The crafted request includes the GO argument with a string exceeding the expected buffer size in the formWrlExtraSet function.
The router’s web server receives the request and passes the GO argument to the vulnerable function.
The formWrlExtraSet function attempts to copy the oversized GO argument into a fixed-size buffer on the stack.
This write operation overflows the buffer, overwriting adjacent memory regions, including the return address.
When the formWrlExtraSet function returns, it jumps to the address overwritten by the attacker.
The attacker’s injected code executes with the privileges of the web server process, potentially allowing full control of the device.

Impact

Successful exploitation of CVE-2026-5605 can lead to complete compromise of the Tenda CH22 router. This includes unauthorized access to network traffic, modification of router settings, and the potential for the router to be used as a pivot point for further attacks within the network. Given the ease of exploitation and the public availability of exploits, a large number of devices are potentially at risk, impacting both home and small business users.

Recommendation

Monitor web server logs for POST requests to /goform/WrlExtraSet with unusually long GO parameter values to detect potential exploitation attempts. Use the Sigma rule provided below.
Implement rate limiting on requests to /goform/WrlExtraSet to mitigate brute-force exploitation attempts.
Since there is no patch available, consider replacing affected Tenda CH22 1.0.0.1 routers with devices from vendors with timely security updates.

Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 23:16:20 +0000

CVE-2026-5604 details a critical security vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability is a stack-based buffer overflow located in the formCertLocalPrecreate function within the /goform/CertLocalPrecreate file, which handles parameters. Attackers can exploit this flaw by manipulating the standard argument. The vulnerability can be triggered remotely, meaning an attacker does not need local access to the device. Given that a public exploit is available, this vulnerability poses a significant risk to users of the affected Tenda CH22 router. This allows unauthenticated attackers to potentially gain full control of the device.

Attack Chain

An attacker identifies a Tenda CH22 router version 1.0.0.1 exposed to the internet.
The attacker crafts a malicious HTTP request targeting the /goform/CertLocalPrecreate endpoint.
The attacker includes an overly long string as the value for the standard parameter in the HTTP request.
The Tenda CH22 router receives the malicious request and passes the standard parameter to the formCertLocalPrecreate function.
The formCertLocalPrecreate function copies the oversized standard argument into a fixed-size buffer on the stack without proper bounds checking.
This causes a stack-based buffer overflow, overwriting adjacent memory regions, including the return address of the function.
The attacker controls the overwritten return address to point to attacker-controlled code injected into memory, or to a Return-Oriented Programming (ROP) chain.
Upon function return, execution is redirected to the attacker’s code, allowing them to execute arbitrary commands on the router.

Impact

Successful exploitation of CVE-2026-5604 allows a remote, unauthenticated attacker to execute arbitrary code on the Tenda CH22 router. This could lead to a complete compromise of the device, allowing the attacker to gain control over network traffic, modify router settings, or use the device as part of a botnet. Given the wide deployment of Tenda routers, a large number of devices could be vulnerable, making this a high-impact vulnerability.

Recommendation

Monitor web server logs for requests to /goform/CertLocalPrecreate with unusually long standard parameters to identify potential exploit attempts (see rule: “Detect Tenda CH22 Buffer Overflow Attempt via Long Standard Parameter”).
Implement rate limiting on the /goform/CertLocalPrecreate endpoint to mitigate brute-force exploitation attempts.
Apply any available firmware updates from Tenda to patch CVE-2026-5604.
Deploy the Sigma rule “Detect Tenda CH22 Router POST Request to CertLocalPrecreate” to identify suspicious POST requests to the affected endpoint and tune for your environment.

Tenda M3 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 13:17:14 +0000

A critical buffer overflow vulnerability has been identified in Tenda M3 router version 1.0.0.10. The vulnerability resides in the setAdvPolicyData function within the /goform/setAdvPolicyData file, a part of the Destination Handler component. By manipulating the policyType argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations utilizing the affected Tenda M3 router, potentially allowing attackers to gain unauthorized access to the network or disrupt services.

Attack Chain

Attacker identifies a vulnerable Tenda M3 router exposed to the internet or reachable from their network position.
Attacker sends a crafted HTTP POST request to /goform/setAdvPolicyData.
The POST request includes a malicious policyType argument designed to overflow the buffer in the setAdvPolicyData function.
The setAdvPolicyData function in /goform/setAdvPolicyData processes the policyType argument without proper bounds checking.
The excessive data provided in the policyType argument overwrites adjacent memory regions.
The attacker carefully crafts the overflow to overwrite critical data or inject malicious code into the process’s memory space.
The injected code is executed, giving the attacker control over the router.
The attacker can then use the compromised router as a foothold to pivot to other devices on the network, exfiltrate sensitive data, or cause denial of service.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda M3 router. This could lead to a complete compromise of the device, allowing the attacker to control network traffic, access sensitive information, or use the router as a launchpad for further attacks within the network. Given the severity and the existence of public exploits, vulnerable routers are at high risk of being targeted.

Recommendation

Apply any available firmware updates from Tenda to patch CVE-2026-5567.
Monitor web server logs for suspicious POST requests to /goform/setAdvPolicyData with unusually long policyType arguments; deploy the Sigma rule Detect Suspicious PolicyType Argument Length to identify this activity.
Implement network segmentation to limit the potential impact of a compromised router.
Consider using a web application firewall (WAF) to filter malicious requests targeting the affected endpoint.
Review and restrict access to the router’s management interface to authorized personnel only.

Tenda AC10 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 05 Apr 2026 08:16:25 +0000

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-5550, exists in Tenda AC10 router firmware version 16.03.10.10_multi_TDE01. The vulnerability is located in the fromSysToolChangePwd function within the /bin/httpd binary. A remote attacker can exploit this flaw to overwrite the stack and potentially execute arbitrary code on the affected device. This is achieved by sending a specially crafted request to the device. Successful exploitation could lead to complete system compromise, allowing attackers to gain unauthorized access, control the device, or use it as a foothold for further network intrusion. Given the widespread use of Tenda routers, this vulnerability poses a significant risk to home and small business networks.

Attack Chain

The attacker identifies a Tenda AC10 router running firmware version 16.03.10.10_multi_TDE01.
The attacker crafts a malicious HTTP request targeting the /bin/httpd endpoint.
The malicious request is designed to overflow the buffer in the fromSysToolChangePwd function when processing the request parameters.
The overflow overwrites the stack with attacker-controlled data, including the return address.
The httpd process attempts to return from the fromSysToolChangePwd function.
Due to the overwritten return address, execution is redirected to the attacker’s code.
The attacker’s code executes with the privileges of the httpd process.
The attacker gains control of the device and can perform arbitrary actions, such as modifying router settings, executing commands, or establishing a backdoor.

Impact

Successful exploitation of CVE-2026-5550 allows a remote attacker to gain complete control of the affected Tenda AC10 router. This can lead to data breaches, denial-of-service attacks, or the router being used as part of a botnet. Given the potential for widespread exploitation and the ease with which the vulnerability can be triggered, CVE-2026-5550 poses a high risk to users of the affected Tenda AC10 router model. The attacker could potentially monitor all network traffic passing through the device, steal sensitive information, or use the compromised device to launch attacks against other systems on the network or the internet.

Recommendation

Monitor web server logs for suspicious POST requests to /bin/httpd with abnormally large parameter values that could indicate a buffer overflow attempt targeting the fromSysToolChangePwd function to trigger the vulnerability (see the related Sigma rule below).
Since a patch is not mentioned, consider replacing the affected Tenda AC10 device or isolating it from critical network segments if immediate replacement is not feasible.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Tenda 4G03 Pro Improper Access Control Vulnerability (CVE-2026-5526)

hello@craftedsignal.io — Sat, 04 Apr 2026 23:16:44 +0000

A security vulnerability, identified as CVE-2026-5526, affects the Tenda 4G03 Pro router, specifically versions up to 1.0/1.1/04.03.01.53/192.168.0.1. The flaw resides within an unspecified function of the /bin/httpd file, leading to improper access controls. A remote attacker could exploit this vulnerability, potentially gaining unauthorized access to the device. Publicly available exploits exist, increasing the risk of exploitation. This issue was reported on April 4, 2026, and poses a significant threat due to the ease of remote exploitation.

Attack Chain

Attacker identifies a Tenda 4G03 Pro router with a publicly accessible web interface.
The attacker crafts a malicious HTTP request targeting the /bin/httpd file.
The malicious request exploits the improper access control vulnerability (CVE-2026-5526).
The router’s /bin/httpd process improperly handles the request, bypassing access controls.
The attacker gains unauthorized access to sensitive functionalities of the router.
The attacker modifies router configurations, such as DNS settings or firewall rules.
The attacker could potentially use the compromised router as a pivot point for further network attacks.

Impact

Successful exploitation of CVE-2026-5526 could allow attackers to remotely compromise Tenda 4G03 Pro routers. This can lead to unauthorized access to the device’s configuration, modification of settings, or use of the router as a stepping stone for further attacks within the network. Given the availability of public exploits, unpatched devices are at significant risk. While the exact number of affected devices is unknown, the widespread use of Tenda routers makes this a potentially significant issue.

Recommendation

Monitor web server logs for suspicious requests targeting /bin/httpd using the provided Sigma rule.
Apply available firmware updates or patches from Tenda to address CVE-2026-5526 as soon as they are released.
Implement network segmentation to limit the impact of a compromised router.
Enforce strong password policies for router administration to prevent unauthorized access.
Review and update firewall rules to restrict access to the router’s web interface from untrusted networks.
Deploy the provided Sigma rule to detect suspicious process execution originating from the web server process.

Tenda CH22 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5204)

hello@craftedsignal.io — Tue, 31 Mar 2026 16:16:35 +0000

CVE-2026-5204 describes a critical stack-based buffer overflow vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability resides within the formWebTypeLibrary function in the /goform/webtypelibrary file, which handles web-based parameter input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the router, manipulating the webSiteId argument to overwrite the stack buffer. This allows for arbitrary code execution on the device. Given the router’s role as a network gateway, successful exploitation can lead to complete compromise of the device and potentially the entire network behind it. The availability of a public exploit increases the risk of widespread exploitation.

Attack Chain

The attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1.
The attacker crafts a malicious HTTP POST request targeting the /goform/webtypelibrary endpoint.
The crafted request includes the webSiteId parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow in the formWebTypeLibrary function.
The overflow overwrites critical data on the stack, including the return address.
The overwritten return address is replaced with the address of malicious code injected into the payload or a pre-existing code location within the router’s firmware (Return-Oriented Programming - ROP).
The formWebTypeLibrary function returns, transferring control to the attacker-controlled code.
The attacker’s code executes, granting the attacker control over the device.
The attacker can then use this control to further compromise the network or disrupt services.

Impact

Successful exploitation of CVE-2026-5204 allows a remote attacker to execute arbitrary code on the vulnerable Tenda CH22 router. This can lead to complete control of the device, enabling the attacker to intercept network traffic, modify DNS settings, create VPNs, or launch further attacks on devices within the network. Given that routers are essential network devices, a successful attack can have a significant impact, affecting all connected devices and potentially exposing sensitive data.

Recommendation

Apply available firmware updates for Tenda CH22 routers immediately to patch CVE-2026-5204.
Deploy the Sigma rule Tenda-CH22-WebSiteId-Buffer-Overflow to detect exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for suspicious POST requests to /goform/webtypelibrary with unusually long webSiteId parameters, as indicated by WebSiteId_Length_Detection Sigma rule.
Implement network segmentation to limit the impact of a potential router compromise.

Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 31 Mar 2026 00:16:15 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda CH22 router version 1.0.0.1. The vulnerability resides within the formQuickIndex function of the /goform/QuickIndex file, which is a component of the Parameter Handler. This flaw can be triggered by manipulating the mit_linktype argument, leading to a buffer overflow on the stack. The vulnerability is remotely exploitable, meaning an attacker can trigger the flaw over the network without needing local access to the device. The existence of a public exploit further increases the risk of potential exploitation by malicious actors. Successful exploitation could allow an attacker to execute arbitrary code on the device.

Attack Chain

An attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1 exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/QuickIndex endpoint.
The malicious request includes the mit_linktype argument with a payload exceeding the expected buffer size.
The Tenda CH22 router processes the HTTP request and passes the mit_linktype argument to the formQuickIndex function.
The formQuickIndex function copies the attacker-controlled mit_linktype data into a fixed-size buffer on the stack without proper bounds checking.
Due to the oversized payload, the copy operation overflows the buffer, overwriting adjacent memory on the stack, including the return address.
The formQuickIndex function completes and attempts to return to the caller function.
Due to the overwritten return address, control is redirected to attacker-controlled code, enabling arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Tenda CH22 router. This can lead to a variety of malicious outcomes, including complete device compromise, denial of service, and the potential to use the router as a launchpad for further attacks on the local network or the internet. Given that routers are often used in both home and small business environments, a successful attack could affect a wide range of users and organizations.

Recommendation

Monitor web server logs for POST requests to /goform/QuickIndex with unusually long mit_linktype parameters to detect potential exploitation attempts. Implement the Sigma rule Detect Tenda CH22 mit_linktype Buffer Overflow Attempt against web server logs.
Implement rate limiting on the /goform/QuickIndex endpoint to mitigate potential denial-of-service attacks stemming from exploitation.
Since the source material identifies CWE-119 and CWE-121 as root causes, review code practices related to buffer handling and implement stricter input validation procedures.

Tenda CH22 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 30 Mar 2026 23:17:04 +0000

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-5154, has been discovered in Tenda CH22 firmware version 1.0.0.1/1.If. The vulnerability resides within the fromSetCfm function in the /goform/setcfm file, a component of the Parameter Handler. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected Tenda CH22 devices, potentially leading to complete system compromise.

Attack Chain

Attacker identifies a Tenda CH22 device running firmware version 1.0.0.1/1.If.
The attacker crafts a malicious HTTP POST request targeting the /goform/setcfm endpoint.
The request includes the funcname argument containing a string exceeding the buffer size allocated to it.
The fromSetCfm function processes the malicious funcname argument without proper bounds checking.
The oversized funcname value overflows the stack buffer, overwriting adjacent memory regions.
The attacker overwrites the return address on the stack with an address pointing to malicious code or a ROP chain.
The fromSetCfm function returns, causing execution to jump to the attacker-controlled address.
The attacker gains arbitrary code execution on the device, potentially leading to full system compromise.

Impact

Successful exploitation of this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected Tenda CH22 device. This can result in complete device compromise, allowing the attacker to control the device, steal sensitive information, or use the device as a foothold for further attacks on the network. Given the availability of public exploits, a large number of devices could be compromised if left unpatched.

Recommendation

Monitor web server logs for suspicious POST requests to /goform/setcfm with unusually long funcname parameters, using the provided Sigma rule.
Implement rate limiting on requests to /goform/setcfm to mitigate potential brute-force exploitation attempts.
Apply any available patches or firmware updates from Tenda to address CVE-2026-5154.

Tenda FH1201 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5046)

hello@craftedsignal.io — Sun, 29 Mar 2026 15:16:36 +0000

CVE-2026-5046 is a stack-based buffer overflow vulnerability affecting Tenda FH1201 routers running firmware version 1.2.0.14(408). The vulnerability resides within the formWrlExtraSet function of the /goform/WrlExtraSet component, specifically in the handling of the GO argument. A remote attacker can exploit this flaw by sending a crafted HTTP request with a maliciously oversized GO parameter, overwriting the stack and potentially gaining arbitrary code execution on the device. The…

Tenda 4G06 Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-5036)

hello@craftedsignal.io — Sun, 29 Mar 2026 08:15:56 +0000

A stack-based buffer overflow vulnerability, identified as CVE-2026-5036, affects the Tenda 4G06 router, specifically version 04.06.01.29. The vulnerability resides in the fromDhcpListClient function within the /goform/DhcpListClient endpoint. A remote attacker can exploit this by crafting a malicious request that manipulates the page argument, leading to a buffer overflow on the stack. This could allow the attacker to potentially execute arbitrary code on the device. Given the…

Tenda AC15 Stack-Based Buffer Overflow Vulnerability (CVE-2026-4975)

hello@craftedsignal.io — Sat, 28 Mar 2026 12:00:00 +0000

CVE-2026-4975 is a critical security vulnerability affecting Tenda AC15 routers running firmware version 15.03.05.19. This vulnerability resides in the formSetCfm function, specifically within the /goform/setcfm file, which handles POST requests. An attacker can exploit a stack-based buffer overflow by sending a crafted POST request with a malicious payload in the funcpara1 argument. The vulnerability is remotely exploitable, meaning an attacker does not need local access to the device…

Tenda AC6 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 27 Mar 2026 17:16:30 +0000

A critical stack-based buffer overflow vulnerability has been identified in Tenda AC6 router firmware version 15.03.05.16. The vulnerability, tracked as CVE-2026-4960, resides within the fromWizardHandle function of the /goform/WizardHandle component, which handles POST requests. A remote attacker can exploit this vulnerability by sending a crafted POST request with a manipulated WANT or WANS argument, leading to arbitrary code execution on the device. Public exploit code is available, increasing the risk of widespread exploitation. This vulnerability poses a significant threat, potentially allowing attackers to gain complete control over vulnerable routers and compromise connected networks.

Attack Chain

Attacker identifies a Tenda AC6 router running firmware version 15.03.05.16.
The attacker crafts a malicious POST request targeting the /goform/WizardHandle endpoint.
Within the POST request, the attacker manipulates the WANT or WANS argument to inject a payload exceeding the buffer size.
The router processes the POST request, passing the attacker-controlled input to the vulnerable fromWizardHandle function.
The overflow occurs when the fromWizardHandle function copies the attacker-supplied data into a fixed-size buffer on the stack without proper bounds checking.
The injected payload overwrites adjacent memory locations on the stack, including the return address.
When the fromWizardHandle function returns, it jumps to the attacker-controlled address.
The attacker gains arbitrary code execution on the router, potentially leading to complete system compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control of the affected Tenda AC6 router. This can lead to a variety of malicious outcomes, including network hijacking, DNS poisoning, interception of network traffic, deployment of malware, and the creation of botnets. Given the widespread use of Tenda routers in home and small business networks, a large number of devices are potentially vulnerable. The CVSS v3.1 score of 8.8 reflects the high severity of this vulnerability.

Recommendation

Apply any available firmware updates from Tenda to patch CVE-2026-4960.
Monitor web server logs for suspicious POST requests to /goform/WizardHandle with abnormally long WANT or WANS parameters using the Sigma rule provided below.
Implement network intrusion detection system (NIDS) rules to detect exploit attempts targeting the /goform/WizardHandle endpoint.
Restrict access to the router’s web interface from the public internet where possible to reduce the attack surface.

Tenda AC5 Stack-Based Buffer Overflow Vulnerability (CVE-2026-4903)

hello@craftedsignal.io — Fri, 27 Mar 2026 12:00:00 +0000

CVE-2026-4903 describes a critical stack-based buffer overflow vulnerability affecting Tenda AC5 routers, specifically version 15.03.06.47. The vulnerability resides within the formQuickIndex function of the /goform/QuickIndex component, which handles POST requests. An attacker can remotely exploit this vulnerability by crafting a malicious POST request to /goform/QuickIndex with an overly long PPPOEPassword argument. This overflow allows the attacker to potentially overwrite adjacent…

Tenda AC5 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 27 Mar 2026 00:16:24 +0000

A stack-based buffer overflow vulnerability, identified as CVE-2026-4905, has been discovered in Tenda AC5 home routers running firmware version 15.03.06.47. The vulnerability resides within the formWifiWpsOOB function in the /goform/WifiWpsOOB file, which handles POST requests. Attackers can remotely exploit this flaw by crafting a malicious POST request to this endpoint, specifically targeting the index argument. Successful exploitation leads to arbitrary code execution on the device…

Tenda F453 Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-4553)

hello@craftedsignal.io — Mon, 23 Mar 2026 12:00:00 +0000

A stack-based buffer overflow vulnerability, tracked as CVE-2026-4553, has been identified in Tenda F453 version 1.0.0.3. The flaw resides within the fromNatlimit function of the /goform/Natlimit component’s Parameters Handler. Publicly available exploits exist, increasing the risk of exploitation. Successful exploitation could allow an attacker to execute arbitrary code on the affected device. This vulnerability poses a significant threat to users of the Tenda F453 router, potentially…

Tenda A15 Router Stack-Based Buffer Overflow (CVE-2026-4567)

hello@craftedsignal.io — Mon, 23 Mar 2026 03:16:00 +0000

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-4567, has been discovered in Tenda A15 wireless routers running firmware version 15.13.07.13. The vulnerability resides in the UploadCfg function within the /cgi-bin/UploadCfg file, which handles file uploads. A remote attacker can exploit this flaw by crafting a malicious request to the router, specifically targeting the File argument, to overwrite the stack buffer and potentially gain arbitrary code execution…

Tenda AC21 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 23 Mar 2026 01:16:43 +0000

A critical buffer overflow vulnerability, CVE-2026-4565, affects Tenda AC21 routers running firmware version 16.03.08.16. The flaw resides in the formSetQosBand function within the /goform/SetNetControlList file. Attackers can exploit this vulnerability by crafting malicious argument lists in HTTP requests, leading to arbitrary code execution on the device. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation allows attackers to gain complete control over the router, potentially compromising connected devices and network traffic.

Attack Chain

Attacker identifies a vulnerable Tenda AC21 router with firmware version 16.03.08.16.
The attacker crafts a malicious HTTP POST request targeting the /goform/SetNetControlList endpoint.
The POST request includes a specially crafted argument list designed to overflow the buffer in the formSetQosBand function.
The router processes the HTTP request and passes the malicious arguments to the vulnerable function.
The formSetQosBand function attempts to copy the oversized argument list into a fixed-size buffer, triggering a buffer overflow.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
The attacker gains control of the program execution flow and injects malicious code.
The injected code executes with elevated privileges, granting the attacker complete control over the router.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Tenda AC21 router. This can lead to a variety of malicious outcomes, including: complete device compromise, modification of router settings, interception of network traffic, deployment of malware to connected devices, and use of the router as a botnet node. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploit could impact thousands of users.

Recommendation

Monitor web server logs for suspicious POST requests to /goform/SetNetControlList with unusually long or malformed arguments (see rule: “Detect Suspicious POST Requests to SetNetControlList”).
Implement rate limiting on HTTP POST requests to prevent attackers from quickly exploiting the vulnerability.
Deploy the Sigma rule “Detect Tenda AC21 Buffer Overflow Attempt” to identify exploitation attempts based on specific patterns in HTTP requests.
Consider blocking traffic from known exploit sources, if available.
Upgrade to a patched firmware version as soon as it becomes available from the vendor.

Tenda FH303/A300 DNS Hijacking Vulnerability (CVE-2018-25318)

hello@craftedsignal.io — Wed, 03 Jan 2024 18:00:00 +0000

CVE-2018-25318 affects Tenda FH303/A300 routers running firmware version V5.07.68_EN. This vulnerability stems from a session weakness related to insufficient cookie validation. An unauthenticated attacker can exploit this flaw to modify the DNS settings of the router. By sending a crafted GET request to the /goform/AdvSetDns endpoint, an attacker can inject a malicious admin cookie. This allows them to overwrite the configured DNS servers, potentially redirecting all network traffic from connected devices through attacker-controlled infrastructure. This can lead to phishing attacks, malware distribution, and other malicious activities. The vulnerability poses a significant risk to home and small office networks using the affected Tenda routers.

Attack Chain

An attacker identifies a vulnerable Tenda FH303/A300 router running firmware V5.07.68_EN.
The attacker crafts a malicious HTTP GET request targeting the /goform/AdvSetDns endpoint.
The crafted GET request includes a forged admin cookie, bypassing authentication checks due to the session weakness.
The attacker sends the crafted GET request to the router’s management interface.
The router, due to insufficient cookie validation, accepts the forged cookie and processes the request.
The request modifies the DNS server settings on the router, replacing the legitimate DNS servers with attacker-controlled DNS servers.
Users connected to the router unknowingly use the attacker’s DNS servers for name resolution.
DNS requests are redirected to malicious IPs controlled by the attacker, potentially leading to phishing sites or malware downloads.

Impact

Successful exploitation of CVE-2018-25318 allows an attacker to perform DNS hijacking on affected Tenda routers. This can redirect users to malicious websites designed to steal credentials, distribute malware, or conduct other harmful activities. The vulnerability poses a critical risk to users of the affected routers, as it can compromise their online security and privacy. The CVSS v3.1 base score for this vulnerability is 9.8, highlighting its severity. The number of affected users is dependent on the number of deployed vulnerable devices.

Recommendation

Monitor web server logs for requests to /goform/AdvSetDns with unusual parameters (Sigma rule: “Detect Tenda Router DNS Hijacking Attempt”).
If possible, upgrade the router firmware to a version that patches CVE-2018-25318.
Implement network segmentation to limit the impact of compromised devices.
Consider using a reputable DNS service with built-in security features to mitigate the impact of DNS hijacking attacks.

Tenda HG3 Router Command Injection Vulnerability (CVE-2026-7096)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

A critical command injection vulnerability, identified as CVE-2026-7096, affects Tenda HG3 2.0 300003070 routers. The vulnerability resides in the ‘formgponConf’ function within the ‘/boaform/admin/formgponConf’ file. An attacker can exploit this flaw by manipulating the ‘fmgpon_loid’ argument. Successful exploitation allows a remote attacker to execute arbitrary operating system commands on the affected device. Given the public availability of an exploit, Tenda HG3 devices are at immediate risk of compromise. This poses a significant threat as attackers can potentially gain full control of the router, compromise connected networks, and exfiltrate sensitive information.

Attack Chain

The attacker identifies a vulnerable Tenda HG3 2.0 300003070 router with an exposed web interface.
The attacker crafts a malicious HTTP POST request targeting the ‘/boaform/admin/formgponConf’ endpoint.
The attacker injects a payload containing OS commands into the ‘fmgpon_loid’ parameter of the POST request.
The Tenda HG3 router’s web server processes the request without proper input validation of the ‘fmgpon_loid’ parameter.
The injected OS command is executed by the router’s operating system with the privileges of the web server process.
The attacker gains remote code execution on the Tenda HG3 router.
The attacker may establish a reverse shell to maintain persistent access or download further malicious payloads.
The attacker can then pivot to internal networks, exfiltrate data, or use the compromised router for other malicious activities.

Impact

Successful exploitation of CVE-2026-7096 grants attackers the ability to execute arbitrary OS commands on the Tenda HG3 router. This can lead to complete compromise of the device, allowing attackers to modify router settings, intercept network traffic, and potentially gain access to connected devices on the local network. Given the widespread use of Tenda routers in home and small business environments, a successful attack could impact thousands of users. The vulnerability’s high CVSS score of 8.8 underscores the severity and potential for widespread damage.

Recommendation

Deploy the Sigma rule “Detect Tenda HG3 Command Injection Attempt” to your SIEM to identify exploitation attempts by monitoring HTTP POST requests to ‘/boaform/admin/formgponConf’ with suspicious commands in the ‘fmgpon_loid’ parameter.
Implement network intrusion detection system (NIDS) rules to detect malicious payloads in HTTP POST requests targeting the vulnerable endpoint, as described in the “Attack Chain” section.
While no specific IOCs are provided, analyze network traffic and web server logs for unusual activity originating from or targeting Tenda HG3 routers.
Monitor web server logs for HTTP POST requests to /boaform/admin/formgponConf (described in Attack Chain step 2).

Tenda FH1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-7034)

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-7034, has been discovered in Tenda FH1202 version 1.2.0.14(408). The vulnerability resides within the WrlExtraSet function of the /goform/WrlExtraSet component, which is part of the device’s httpd server. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the Go argument, leading to arbitrary code execution on the affected device. The exploit for this vulnerability has been made public, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to users of the Tenda FH1202 router as it allows for complete compromise of the device.

Attack Chain

The attacker identifies a vulnerable Tenda FH1202 router exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/WrlExtraSet endpoint.
The crafted request includes a Go parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow.
The overflow overwrites critical return addresses on the stack.
The overwritten return address is redirected to malicious code injected by the attacker within the overflowed buffer.
The injected code executes with the privileges of the httpd process.
The attacker gains complete control of the device, potentially allowing for the installation of malware, modification of router settings, or interception of network traffic.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control of the Tenda FH1202 router. This can lead to a variety of malicious activities, including installing persistent backdoors, modifying DNS settings to redirect traffic, or using the compromised device as part of a botnet. The lack of required authentication for exploitation increases the severity, making it easily exploitable. While the exact number of affected devices is unknown, the widespread use of Tenda routers suggests a potentially large number of vulnerable targets.

Recommendation

Monitor web server logs for suspicious POST requests to /goform/WrlExtraSet with unusually long Go parameter values to detect potential exploitation attempts. Reference the Sigma rule Detect Suspicious WrlExtraSet Requests.
Implement rate limiting for requests to the /goform/WrlExtraSet endpoint to mitigate brute-force exploitation attempts.
Consider blocking or alerting on requests to /goform/WrlExtraSet originating from outside the expected user base (e.g., requests originating from outside the country where the organization operates).