{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/tenda/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7470"}],"_cs_exploited":false,"_cs_products":["4G300"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","tenda","router","cve-2026-7470"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in Tenda 4G300 routers, specifically version US_4G300V1.0Mt_V1.01.42_CN_TDC01. The vulnerability resides within the \u003ccode\u003esub_427C3C\u003c/code\u003e function located in the \u003ccode\u003e/goform/SafeMacFilter\u003c/code\u003e file. An attacker can exploit this flaw by manipulating the \u003ccode\u003epage\u003c/code\u003e argument in a crafted request, leading to a buffer overflow and potentially allowing for arbitrary code execution on the affected device. The vulnerability, identified as CVE-2026-7470, poses a significant risk as remote exploitation is possible, and a proof-of-concept exploit is publicly available, increasing the likelihood of malicious actors leveraging this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda 4G300 router running the vulnerable firmware version US_4G300V1.0Mt_V1.01.42_CN_TDC01.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/SafeMacFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003epage\u003c/code\u003e argument with a payload exceeding the buffer size allocated for it within the \u003ccode\u003esub_427C3C\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router processes the HTTP request, passing the oversized \u003ccode\u003epage\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esub_427C3C\u003c/code\u003e function attempts to write the oversized data into a stack-based buffer, causing a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects execution flow to a malicious code payload injected into the request or elsewhere in memory.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the router process, potentially allowing the attacker to gain full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the Tenda 4G300 router. An attacker could gain unauthorized access to the device\u0026rsquo;s configuration, intercept network traffic, or use the router as a launching point for further attacks against other devices on the network or the internet. Given the widespread use of these routers in homes and small businesses, a successful attack could impact a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003e/goform/SafeMacFilter\u003c/code\u003e with abnormally long \u003ccode\u003epage\u003c/code\u003e parameters. Use the provided Sigma rule to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/goform/SafeMacFilter\u003c/code\u003e endpoint to mitigate potential brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply any available patches or firmware updates released by Tenda to address CVE-2026-7470.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T03:16:01Z","date_published":"2026-04-30T03:16:01Z","id":"/briefs/2026-04-tenda-stack-overflow/","summary":"A remote stack-based buffer overflow vulnerability exists in the Tenda 4G300 router, version US_4G300V1.0Mt_V1.01.42_CN_TDC01, allowing an attacker to potentially execute arbitrary code by manipulating the 'page' argument to the sub_427C3C function in the /goform/SafeMacFilter file.","title":"Tenda 4G300 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-stack-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25316"}],"_cs_exploited":false,"_cs_products":["W308R v2"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25316","dns-hijacking","tenda","cookie-injection"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eTenda W308R v2 running firmware V5.07.48 is susceptible to a cookie session weakness (CVE-2018-25316) that enables unauthenticated attackers to perform DNS hijacking. This vulnerability stems from insufficient session validation. An attacker can exploit this weakness by sending specially crafted GET requests to the \u003ccode\u003egoform/AdvSetDns\u003c/code\u003e endpoint. The malicious request includes a crafted admin language cookie, which bypasses authentication checks and allows modification of the device\u0026rsquo;s DNS server settings. Successful exploitation allows the attacker to redirect the router\u0026rsquo;s DNS queries to a malicious server under their control. This poses a significant risk to end-users, as it can lead to phishing attacks, malware distribution, and other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda W308R v2 router running firmware V5.07.48 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003egoform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe GET request includes a crafted \u0026ldquo;admin language cookie\u0026rdquo; designed to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe router receives the malicious GET request and, due to insufficient session validation, incorrectly authenticates the attacker.\u003c/li\u003e\n\u003cli\u003eThe router processes the malicious request, modifying the DNS server settings to attacker-controlled DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the compromised router now resolve domain names through the attacker\u0026rsquo;s DNS server.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s DNS server redirects users to malicious websites, potentially serving malware or phishing pages.\u003c/li\u003e\n\u003cli\u003eUsers unknowingly interact with the malicious content, leading to data theft, system compromise, or other harmful outcomes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to control DNS resolution for all devices connected to the affected Tenda W308R v2 router. This can lead to widespread redirection to phishing sites designed to steal credentials, or to sites hosting malware that infects user devices. Given the widespread use of Tenda routers, this vulnerability could impact a large number of home and small business networks. A successful attack allows the attacker to perform man-in-the-middle attacks, eavesdrop on network traffic, and compromise connected devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tenda Router DNS Hijack Attempt\u003c/code\u003e to identify attempts to exploit this vulnerability by monitoring for suspicious requests to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint (log source: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing a crafted admin language cookie to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint, indicating potential exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003cli\u003eApply available patches or firmware updates from Tenda to address the cookie session weakness and prevent unauthorized DNS modifications.\u003c/li\u003e\n\u003cli\u003eConsider replacing the affected device if a patch is unavailable, especially in high-risk environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:27Z","date_published":"2026-04-29T20:16:27Z","id":"/briefs/2026-04-tenda-dns-hijack/","summary":"Tenda W308R v2 V5.07.48 is vulnerable to cookie session weakness, allowing unauthenticated attackers to modify DNS settings via crafted GET requests to redirect user traffic to malicious sites.","title":"Tenda W308R DNS Hijacking Vulnerability (CVE-2018-25316)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijack/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25317"}],"_cs_exploited":false,"_cs_products":["W3002R/A302/W309R wireless routers"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25317","dns-hijacking","router-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eTenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en are susceptible to a cookie session weakness (CVE-2018-25317). This vulnerability allows unauthenticated attackers to remotely modify DNS settings on the affected devices. The attack exploits insufficient session validation, enabling malicious actors to inject commands and redirect user traffic to attacker-controlled DNS servers. This poses a significant risk as it can lead to phishing attacks, malware distribution, and credential theft. Exploitation is straightforward, requiring only a crafted HTTP GET request, making it accessible to unsophisticated attackers. The vulnerability was reported in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable Tenda router with firmware V5.07.64_en.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a malicious \u003ccode\u003eadmin language\u003c/code\u003e cookie designed to bypass session validation.\u003c/li\u003e\n\u003cli\u003eThe attacker injects modified DNS server addresses into the GET request parameters (primary DNS and secondary DNS).\u003c/li\u003e\n\u003cli\u003eThe vulnerable router processes the malicious GET request without proper session validation.\u003c/li\u003e\n\u003cli\u003eThe router updates its DNS settings to the attacker-specified DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the compromised router now resolve domain names through the attacker\u0026rsquo;s DNS server.\u003c/li\u003e\n\u003cli\u003eThe attacker can redirect user traffic to malicious websites or intercept sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25317 allows attackers to perform DNS hijacking on vulnerable Tenda routers, potentially affecting all connected users. By controlling the DNS server, attackers can redirect users to phishing sites, distribute malware, or intercept sensitive communications. Given the ease of exploitation, a large number of routers could be compromised, leading to widespread disruption and data theft. The severity is heightened because no authentication is required to change the DNS settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tenda Router DNS Setting Modification\u003c/code\u003e to monitor web server logs for requests to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eApply network-level filtering to block connections to known malicious DNS servers based on threat intelligence feeds.\u003c/li\u003e\n\u003cli\u003eAlthough no firmware update is available, consider replacing end-of-life Tenda routers (W3002R/A302/W309R with V5.07.64_en) with more secure models.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:27Z","date_published":"2026-04-29T20:16:27Z","id":"/briefs/2026-04-tenda-dns-hijacking/","summary":"Tenda W3002R/A302/W309R routers with firmware V5.07.64_en are vulnerable to unauthenticated DNS hijacking, where attackers exploit a cookie session weakness to modify DNS settings via crafted GET requests.","title":"Tenda Router DNS Hijacking via Cookie Session Weakness","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijacking/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7151"}],"_cs_exploited":false,"_cs_products":["HG3"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7151","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in Tenda HG3 version 2.0. The vulnerability exists within the \u003ccode\u003eformUploadConfig\u003c/code\u003e function of the \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e file. A remote attacker can exploit this by manipulating the \u003ccode\u003edestNet\u003c/code\u003e argument, potentially leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-7151, has a publicly available exploit, increasing the risk of exploitation. This poses a significant threat to users of Tenda HG3 v2.0 routers, potentially allowing attackers to gain unauthorized access and control over the device. The CVSS v3.1 score is rated as 8.8 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda HG3 v2.0 router with default or known credentials, or no authentication at all.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request targets the \u003ccode\u003eformUploadConfig\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edestNet\u003c/code\u003e argument within the HTTP POST data is manipulated with a string exceeding the buffer size.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformUploadConfig\u003c/code\u003e function processes the oversized \u003ccode\u003edestNet\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThis causes a stack-based buffer overflow, overwriting adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device by overwriting the return address or other critical data on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage this to gain full control of the device, potentially modifying settings, injecting malware, or using it as part of a botnet.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda HG3 v2.0 router. This could lead to complete compromise of the device, allowing the attacker to monitor network traffic, change router settings, or use the device as a launchpad for further attacks against other devices on the network. Given the potential for widespread exploitation due to the publicly available exploit, a large number of Tenda HG3 v2.0 users are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e with excessively long \u003ccode\u003edestNet\u003c/code\u003e parameters to detect potential exploit attempts (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for requests to \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply available patches or firmware updates from Tenda to address CVE-2026-7151 on vulnerable HG3 2.0 devices.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) rule to filter out malicious requests targeting the \u003ccode\u003edestNet\u003c/code\u003e parameter in \u003ccode\u003e/boaform/formIPv6Routing\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T12:00:00Z","date_published":"2026-04-28T12:00:00Z","id":"/briefs/2026-04-tenda-hg3-overflow/","summary":"A stack-based buffer overflow vulnerability in the formUploadConfig function of Tenda HG3 v2.0's /boaform/formIPv6Routing file allows remote attackers to execute arbitrary code by manipulating the destNet argument.","title":"Tenda HG3 v2.0 Stack-Based Buffer Overflow in formUploadConfig","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7160"}],"_cs_exploited":false,"_cs_products":["HG3 2.0"],"_cs_severities":["critical"],"_cs_tags":["command-injection","cve-2026-7160","tenda"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eTenda HG3 2.0 is vulnerable to a command injection vulnerability (CVE-2026-7160) affecting the formTracert function in the /boaform/formTracert file. A remote attacker can exploit this by manipulating the datasize argument to inject arbitrary commands into the system. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. Public disclosure and potential exploitation make this a critical issue for users of the Tenda HG3 2.0 router. Successful exploitation allows an attacker to execute arbitrary commands on the device, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda HG3 2.0 router with an exposed web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the /boaform/formTracert endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated datasize argument designed to inject a command.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the manipulated datasize argument to the formTracert function.\u003c/li\u003e\n\u003cli\u003eThe formTracert function fails to properly sanitize the input, allowing the injected command to be executed by the system.\u003c/li\u003e\n\u003cli\u003eThe injected command executes with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on the Tenda HG3 2.0 router. This can lead to complete compromise of the device, including modification of router settings, interception of network traffic, and potential use of the router as a botnet node. Given the high base score of 8.8, this poses a significant risk to affected users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates provided by Tenda to address CVE-2026-7160.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/boaform/formTracert\u003c/code\u003e with unusual \u003ccode\u003edatasize\u003c/code\u003e parameters, as covered by the Sigma rule \u0026ldquo;Detect Tenda HG3 Command Injection Attempt\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (IDS) rules to detect and block exploit attempts targeting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T22:16:18Z","date_published":"2026-04-27T22:16:18Z","id":"/briefs/2026-04-tenda-hg3-command-injection/","summary":"Tenda HG3 2.0 is vulnerable to command injection; by manipulating the datasize argument in the formTracert function of the /boaform/formTracert file, a remote attacker can inject commands.","title":"Tenda HG3 2.0 Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7101"}],"_cs_exploited":false,"_cs_products":["F456 (1.0.0.5)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7101","buffer-overflow","router","tenda","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7101, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides in the \u003ccode\u003efromWrlclientSet\u003c/code\u003e function within the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e file, which is part of the router\u0026rsquo;s httpd component. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to home and small business networks using the affected Tenda router model, potentially leading to complete device compromise and unauthorized network access. The vulnerability was published on 2026-04-27 and is tracked by VulDB.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Tenda F456 router running firmware version 1.0.0.5.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an oversized payload designed to overflow the buffer in the \u003ccode\u003efromWrlclientSet\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e process attempts to process the request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs, overwriting adjacent memory regions, including critical program data and execution pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially including shell commands or custom malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control of the router, potentially enabling network reconnaissance, data exfiltration, or further attacks on the local network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda F456 router. This can lead to complete device compromise, allowing the attacker to control network traffic, modify router settings, or use the compromised device as a pivot point for further attacks within the network. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploitation could impact thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched firmware version if available from the vendor.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/goform/WrlclientSet\u003c/code\u003e endpoint using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement an IPS rule to detect and block exploit attempts targeting CVE-2026-7101.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T09:19:31Z","date_published":"2026-04-27T09:19:31Z","id":"/briefs/2026-04-tenda-f456-buffer-overflow/","summary":"A buffer overflow vulnerability in Tenda F456 version 1.0.0.5 allows remote attackers to execute arbitrary code via a crafted request to the fromWrlclientSet function in the /goform/WrlclientSet file of the httpd component.","title":"Tenda F456 Router Buffer Overflow Vulnerability (CVE-2026-7101)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f456-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7081"}],"_cs_exploited":false,"_cs_products":["F456"],"_cs_severities":["critical"],"_cs_tags":["cve","buffer_overflow","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7081, affects Tenda F456 router version 1.0.0.5. The vulnerability resides in the \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function within the \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e file, a component of the device\u0026rsquo;s httpd service. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread exploitation. This vulnerability poses a significant threat as it can lead to complete compromise of the affected device, potentially allowing attackers to gain unauthorized access to the network, steal sensitive information, or use the device as part of a botnet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes the \u003ccode\u003edips\u003c/code\u003e argument, which is intentionally oversized to trigger the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function processes the request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003edips\u003c/code\u003e argument overwrites adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address with an address pointing to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function returns, causing execution to jump to the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the privileges of the httpd process, potentially leading to full device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F456 router. This can result in complete device compromise, including the ability to modify device settings, intercept network traffic, and potentially use the compromised device as a pivot point for further attacks within the network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, making this a significant security concern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e with unusually long \u003ccode\u003edips\u003c/code\u003e parameter values to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Tenda F456 Buffer Overflow Attempt\u003c/code\u003e to identify malicious HTTP requests.\u003c/li\u003e\n\u003cli\u003eSince no patch is available, consider replacing the affected Tenda F456 routers (version 1.0.0.5) with more secure alternatives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T04:16:09Z","date_published":"2026-04-27T04:16:09Z","id":"/briefs/2026-04-tenda-f456-bo/","summary":"A buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 in the `fromGstDhcpSetSer` function, allowing remote attackers to execute arbitrary code by manipulating the 'dips' argument via a crafted HTTP request to `/goform/GstDhcpSetSer`.","title":"Tenda F456 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7036"}],"_cs_exploited":false,"_cs_products":["i9"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7036","path-traversal","tenda","network"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7036, exists in Tenda i9 version 1.0.0.5(2204). Specifically, the vulnerability resides in the R7WebsSecurityHandlerfunction of the HTTP Handler component. This flaw allows a remote, unauthenticated attacker to potentially access sensitive files and directories on the affected device. The vulnerability was reported on 2026-04-26, and a public exploit is reportedly available, increasing the risk of exploitation. This poses a significant threat to organizations using the affected Tenda i9 router, as it could lead to unauthorized access to sensitive information or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Tenda i9 router running firmware version 1.0.0.5(2204) accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable R7WebsSecurityHandlerfunction.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;) within the URL or request parameters.\u003c/li\u003e\n\u003cli\u003eThe Tenda i9 router processes the malicious request without proper sanitization of the path.\u003c/li\u003e\n\u003cli\u003eThe R7WebsSecurityHandlerfunction incorrectly interprets the path traversal sequence, allowing access to files or directories outside the intended web root.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive files, such as configuration files or system logs.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the exposed information to further compromise the device or the network it is connected to.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially modify system files or execute commands, leading to full device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7036 can lead to unauthorized access to sensitive files on the Tenda i9 router. This includes configuration files containing credentials, system logs, or other confidential data. An attacker could leverage this access to gain further control of the device, potentially leading to a complete system compromise. While the number of affected devices is currently unknown, given the widespread use of Tenda routers, the potential impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect HTTP requests containing path traversal sequences targeting web servers to detect exploitation attempts (Sigma rule: \u0026ldquo;Detect Tenda i9 Path Traversal Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eSince the source mentions a public exploit exists, prioritize patching or replacing vulnerable Tenda i9 routers to remediate CVE-2026-7036 immediately, if a patch becomes available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns or requests containing suspicious path traversal sequences.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T12:16:22Z","date_published":"2026-04-26T12:16:22Z","id":"/briefs/2026-04-tenda-path-traversal/","summary":"CVE-2026-7036 is a path traversal vulnerability affecting the R7WebsSecurityHandlerfunction in the HTTP Handler component of Tenda i9 version 1.0.0.5(2204), allowing remote attackers to access sensitive files.","title":"Tenda i9 Path Traversal Vulnerability (CVE-2026-7036)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7033"}],"_cs_exploited":false,"_cs_products":["F456 1.0.0.5"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","remote-code-execution","cve-2026-7033","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA buffer overflow vulnerability has been identified in Tenda F456 router, specifically version 1.0.0.5. The vulnerability resides within the \u003ccode\u003efromSafeClientFilter\u003c/code\u003e function located in the \u003ccode\u003e/goform/SafeClientFilter\u003c/code\u003e file. Successful exploitation allows a remote attacker to inject and execute arbitrary code. Publicly available exploit code exists, increasing the risk of widespread exploitation targeting vulnerable Tenda F456 devices. This issue poses a significant threat to network security, as a compromised router can lead to data breaches, denial of service, or further network intrusion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda F456 router running firmware version 1.0.0.5 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/SafeClientFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specially designed payload within the \u003ccode\u003emenufacturer/Go\u003c/code\u003e argument. This payload is designed to trigger a buffer overflow in the \u003ccode\u003efromSafeClientFilter\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromSafeClientFilter\u003c/code\u003e function processes the malicious input without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized payload overwrites adjacent memory regions, potentially including return addresses or other critical data.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromSafeClientFilter\u003c/code\u003e function attempts to return, the overwritten return address is used, redirecting execution flow to attacker-controlled memory.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled memory contains shellcode or other malicious instructions.\u003c/li\u003e\n\u003cli\u003eThe router executes the attacker\u0026rsquo;s code, granting the attacker control over the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can result in complete compromise of the Tenda F456 router. An attacker can gain unauthorized access to network traffic, modify router settings, or use the compromised device as a launchpad for further attacks within the network. Given the public availability of exploit code, a large number of Tenda F456 routers could be targeted, potentially affecting numerous home and small business networks. A successful attack could lead to data theft, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or firmware updates released by Tenda to address CVE-2026-7033 on the F456 1.0.0.5 routers.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) or intrusion prevention systems (IPS) rules to detect and block malicious requests targeting the \u003ccode\u003e/goform/SafeClientFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/SafeClientFilter\u003c/code\u003e with abnormally large \u003ccode\u003emenufacturer/Go\u003c/code\u003e argument values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T11:16:06Z","date_published":"2026-04-26T11:16:06Z","id":"/briefs/2026-04-tenda-buffer-overflow/","summary":"A buffer overflow vulnerability in Tenda F456 router version 1.0.0.5 allows a remote attacker to execute arbitrary code by exploiting the fromSafeClientFilter function in the /goform/SafeClientFilter endpoint through manipulation of the 'menufacturer/Go' argument.","title":"Tenda F456 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6988"}],"_cs_exploited":false,"_cs_products":["HG10 HG7_HG9_HG10re_300001138_en_xpon"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","cve-2026-6988","tenda","iot"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, identified as CVE-2026-6988, has been discovered in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon. The vulnerability resides within the Boa Service, specifically affecting the \u003ccode\u003eformRoute\u003c/code\u003e function located in the \u003ccode\u003e/boaform/formRouting\u003c/code\u003e file. Successful exploitation of this flaw enables a remote attacker to overwrite memory by crafting a malicious request with a manipulated \u003ccode\u003enextHop\u003c/code\u003e argument. This can lead to arbitrary code execution on the affected device. Given the potential for remote exploitation and the availability of a published exploit, this vulnerability poses a significant threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device with the vulnerable Boa web service exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/boaform/formRouting\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specially crafted \u003ccode\u003enextHop\u003c/code\u003e argument, exceeding the buffer size allocated for it.\u003c/li\u003e\n\u003cli\u003eThe Boa service processes the request without proper bounds checking on the \u003ccode\u003enextHop\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003enextHop\u003c/code\u003e argument overwrites adjacent memory regions, including critical program data or return addresses.\u003c/li\u003e\n\u003cli\u003eThe overwritten return address redirects execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the device with the privileges of the Boa service.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the device, potentially leading to data exfiltration, device hijacking, or further network compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6988 can lead to complete compromise of the affected Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device. This may result in unauthorized access to the device\u0026rsquo;s configuration, sensitive data exposure, or the device being used as a bot in a larger attack. Given that this device is likely used in home or small business environments, a successful attack could lead to significant data breaches, financial losses, and reputational damage. The availability of a public exploit increases the likelihood of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates released by Tenda to address CVE-2026-6988 as soon as possible.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of Tenda devices to the internet or untrusted networks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/boaform/formRouting\u003c/code\u003e endpoint to detect potential exploit attempts (webserver log source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda HG10 Buffer Overflow Attempt\u0026rdquo; to identify malicious HTTP requests exploiting the \u003ccode\u003enextHop\u003c/code\u003e argument (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/boaform/formRouting\u003c/code\u003e endpoint to mitigate potential brute-force exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T18:18:16Z","date_published":"2026-04-25T18:18:16Z","id":"/briefs/2026-04-tenda-hg10-bo/","summary":"A buffer overflow vulnerability in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon allows remote attackers to execute arbitrary code by manipulating the nextHop argument in the formRoute function of the /boaform/formRouting file, impacting device availability and integrity.","title":"Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-hg10-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25318"}],"_cs_exploited":false,"_cs_products":["FH303/A300 firmware"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25318","tenda","dns-hijacking","network"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eCVE-2018-25318 affects Tenda FH303/A300 routers running firmware version V5.07.68_EN. This vulnerability stems from a session weakness related to insufficient cookie validation. An unauthenticated attacker can exploit this flaw to modify the DNS settings of the router. By sending a crafted GET request to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint, an attacker can inject a malicious admin cookie. This allows them to overwrite the configured DNS servers, potentially redirecting all network traffic from connected devices through attacker-controlled infrastructure. This can lead to phishing attacks, malware distribution, and other malicious activities. The vulnerability poses a significant risk to home and small office networks using the affected Tenda routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Tenda FH303/A300 router running firmware V5.07.68_EN.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a forged admin cookie, bypassing authentication checks due to the session weakness.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GET request to the router\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe router, due to insufficient cookie validation, accepts the forged cookie and processes the request.\u003c/li\u003e\n\u003cli\u003eThe request modifies the DNS server settings on the router, replacing the legitimate DNS servers with attacker-controlled DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the router unknowingly use the attacker\u0026rsquo;s DNS servers for name resolution.\u003c/li\u003e\n\u003cli\u003eDNS requests are redirected to malicious IPs controlled by the attacker, potentially leading to phishing sites or malware downloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25318 allows an attacker to perform DNS hijacking on affected Tenda routers. This can redirect users to malicious websites designed to steal credentials, distribute malware, or conduct other harmful activities. The vulnerability poses a critical risk to users of the affected routers, as it can compromise their online security and privacy. The CVSS v3.1 base score for this vulnerability is 9.8, highlighting its severity. The number of affected users is dependent on the number of deployed vulnerable devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e with unusual parameters (Sigma rule: \u0026ldquo;Detect Tenda Router DNS Hijacking Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eIf possible, upgrade the router firmware to a version that patches CVE-2018-25318.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of compromised devices.\u003c/li\u003e\n\u003cli\u003eConsider using a reputable DNS service with built-in security features to mitigate the impact of DNS hijacking attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-tenda-dns-hijacking/","summary":"Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability (CVE-2018-25318) that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation, potentially redirecting user traffic to malicious sites.","title":"Tenda FH303/A300 DNS Hijacking Vulnerability (CVE-2018-25318)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7096"}],"_cs_exploited":false,"_cs_products":["HG3 2.0 300003070"],"_cs_severities":["critical"],"_cs_tags":["command-injection","router","tenda"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical command injection vulnerability, identified as CVE-2026-7096, affects Tenda HG3 2.0 300003070 routers. The vulnerability resides in the \u0026lsquo;formgponConf\u0026rsquo; function within the \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; file. An attacker can exploit this flaw by manipulating the \u0026lsquo;fmgpon_loid\u0026rsquo; argument. Successful exploitation allows a remote attacker to execute arbitrary operating system commands on the affected device. Given the public availability of an exploit, Tenda HG3 devices are at immediate risk of compromise. This poses a significant threat as attackers can potentially gain full control of the router, compromise connected networks, and exfiltrate sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda HG3 2.0 300003070 router with an exposed web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a payload containing OS commands into the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter of the POST request.\u003c/li\u003e\n\u003cli\u003eThe Tenda HG3 router\u0026rsquo;s web server processes the request without proper input validation of the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe injected OS command is executed by the router\u0026rsquo;s operating system with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Tenda HG3 router.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish a reverse shell to maintain persistent access or download further malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker can then pivot to internal networks, exfiltrate data, or use the compromised router for other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7096 grants attackers the ability to execute arbitrary OS commands on the Tenda HG3 router. This can lead to complete compromise of the device, allowing attackers to modify router settings, intercept network traffic, and potentially gain access to connected devices on the local network. Given the widespread use of Tenda routers in home and small business environments, a successful attack could impact thousands of users. The vulnerability\u0026rsquo;s high CVSS score of 8.8 underscores the severity and potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda HG3 Command Injection Attempt\u0026rdquo; to your SIEM to identify exploitation attempts by monitoring HTTP POST requests to \u0026lsquo;/boaform/admin/formgponConf\u0026rsquo; with suspicious commands in the \u0026lsquo;fmgpon_loid\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (NIDS) rules to detect malicious payloads in HTTP POST requests targeting the vulnerable endpoint, as described in the \u0026ldquo;Attack Chain\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eWhile no specific IOCs are provided, analyze network traffic and web server logs for unusual activity originating from or targeting Tenda HG3 routers.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to /boaform/admin/formgponConf (described in Attack Chain step 2).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-tenda-hg3-command-injection/","summary":"A command injection vulnerability (CVE-2026-7096) exists in the Tenda HG3 2.0 300003070 router, allowing remote attackers to execute arbitrary OS commands by manipulating the 'fmgpon_loid' argument in the 'formgponConf' function of the '/boaform/admin/formgponConf' file due to insufficient input validation.","title":"Tenda HG3 Router Command Injection Vulnerability (CVE-2026-7096)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7034"}],"_cs_exploited":false,"_cs_products":["FH1202 1.2.0.14(408)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7034","buffer-overflow","router","tenda"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-7034, has been discovered in Tenda FH1202 version 1.2.0.14(408). The vulnerability resides within the \u003ccode\u003eWrlExtraSet\u003c/code\u003e function of the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e component, which is part of the device\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e server. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the \u003ccode\u003eGo\u003c/code\u003e argument, leading to arbitrary code execution on the affected device. The exploit for this vulnerability has been made public, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to users of the Tenda FH1202 router as it allows for complete compromise of the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda FH1202 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003eGo\u003c/code\u003e parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites critical return addresses on the stack.\u003c/li\u003e\n\u003cli\u003eThe overwritten return address is redirected to malicious code injected by the attacker within the overflowed buffer.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the device, potentially allowing for the installation of malware, modification of router settings, or interception of network traffic.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to gain complete control of the Tenda FH1202 router. This can lead to a variety of malicious activities, including installing persistent backdoors, modifying DNS settings to redirect traffic, or using the compromised device as part of a botnet. The lack of required authentication for exploitation increases the severity, making it easily exploitable. While the exact number of affected devices is unknown, the widespread use of Tenda routers suggests a potentially large number of vulnerable targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e with unusually long \u003ccode\u003eGo\u003c/code\u003e parameter values to detect potential exploitation attempts. Reference the Sigma rule \u003ccode\u003eDetect Suspicious WrlExtraSet Requests\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for requests to the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e endpoint to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider blocking or alerting on requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e originating from outside the expected user base (e.g., requests originating from outside the country where the organization operates).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-tenda-fh1202-bo/","summary":"A stack-based buffer overflow vulnerability exists in the Tenda FH1202 router, specifically in the WrlExtraSet function, allowing remote attackers to execute arbitrary code by manipulating the 'Go' argument in a request to /goform/WrlExtraSet.","title":"Tenda FH1202 Stack-Based Buffer Overflow Vulnerability (CVE-2026-7034)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-fh1202-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7098"}],"_cs_exploited":false,"_cs_products":["F456"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-7098","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7098, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides within the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function of the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e component\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e service. An attacker can exploit this flaw by remotely manipulating the \u003ccode\u003epage\u003c/code\u003e argument, leading to a buffer overflow. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could allow an attacker to execute arbitrary code on the device, potentially gaining full control of the router and the network it serves. This poses a significant threat to home and small business users relying on these routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003epage\u003c/code\u003e argument with a payload designed to overflow the buffer in the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e service processes the request and calls the \u003ccode\u003efromDhcpListClient\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to insufficient bounds checking, the oversized payload overwrites the buffer, potentially overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload overwrites the return address on the stack with a pointer to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromDhcpListClient\u003c/code\u003e function returns, causing execution to jump to the attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e service, potentially allowing for full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can allow a remote attacker to execute arbitrary code on the Tenda F456 router. This could lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the router as a pivot point for further attacks within the network. Given the ease of exploitation and public availability of exploit code, a large number of Tenda F456 users are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters to detect potential exploitation attempts (see Sigma rule \u0026ldquo;Detect Tenda F456 Buffer Overflow Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to the \u003ccode\u003e/goform/DhcpListClient\u003c/code\u003e endpoint to mitigate the impact of potential attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda F456 Buffer Overflow Response\u0026rdquo; to identify successful exploitation attempts based on server response codes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-tenda-f456-buffer-overflow/","summary":"A remote buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 via manipulation of the 'page' argument in the fromDhcpListClient function of the /goform/DhcpListClient component, potentially leading to arbitrary code execution.","title":"Tenda F456 Remote Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-f456-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Tenda","version":"https://jsonfeed.org/version/1.1"}