https://feed.craftedsignal.io/vendors/tenda/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 03:16:01 +0000https://feed.craftedsignal.io/briefs/2026-04-tenda-stack-overflow/Thu, 30 Apr 2026 03:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-stack-overflow/A remote stack-based buffer overflow vulnerability exists in the Tenda 4G300 router, version US_4G300V1.0Mt_V1.01.42_CN_TDC01, allowing an attacker to potentially execute arbitrary code by manipulating the 'page' argument to the sub_427C3C function in the /goform/SafeMacFilter file.A stack-based buffer overflow vulnerability has been identified in Tenda 4G300 routers, specifically version US_4G300V1.0Mt_V1.01.42_CN_TDC01. The vulnerability resides within the sub_427C3C function located in the /goform/SafeMacFilter file. An attacker can exploit this flaw by manipulating the page argument in a crafted request, leading to a buffer overflow and potentially allowing for arbitrary code execution on the affected device. The vulnerability, identified as CVE-2026-7470, poses a significant risk as remote exploitation is possible, and a proof-of-concept exploit is publicly available, increasing the likelihood of malicious actors leveraging this vulnerability.

Attack Chain

1. The attacker identifies a Tenda 4G300 router running the vulnerable firmware version US_4G300V1.0Mt_V1.01.42_CN_TDC01.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/SafeMacFilter endpoint.
3. The crafted request includes the page argument with a payload exceeding the buffer size allocated for it within the sub_427C3C function.
4. The router processes the HTTP request, passing the oversized page argument to the vulnerable function.
5. The sub_427C3C function attempts to write the oversized data into a stack-based buffer, causing a buffer overflow.
6. The buffer overflow overwrites adjacent memory on the stack, including the return address.
7. The attacker redirects execution flow to a malicious code payload injected into the request or elsewhere in memory.
8. The injected code executes with the privileges of the router process, potentially allowing the attacker to gain full control of the device.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda 4G300 router. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the router as a launching point for further attacks against other devices on the network or the internet. Given the widespread use of these routers in homes and small businesses, a successful attack could impact a large number of users.

Recommendation

• Monitor web server logs for unusual POST requests to /goform/SafeMacFilter with abnormally long page parameters. Use the provided Sigma rule to detect suspicious activity.
• Implement rate limiting on the /goform/SafeMacFilter endpoint to mitigate potential brute-force exploitation attempts.
• Apply any available patches or firmware updates released by Tenda to address CVE-2026-7470.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

]]>criticaladvisorybuffer-overflowtendaroutercve-2026-7470https://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijack/Wed, 29 Apr 2026 20:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijack/Tenda W308R v2 V5.07.48 is vulnerable to cookie session weakness, allowing unauthenticated attackers to modify DNS settings via crafted GET requests to redirect user traffic to malicious sites.Tenda W308R v2 running firmware V5.07.48 is susceptible to a cookie session weakness (CVE-2018-25316) that enables unauthenticated attackers to perform DNS hijacking. This vulnerability stems from insufficient session validation. An attacker can exploit this weakness by sending specially crafted GET requests to the goform/AdvSetDns endpoint. The malicious request includes a crafted admin language cookie, which bypasses authentication checks and allows modification of the device’s DNS server settings. Successful exploitation allows the attacker to redirect the router’s DNS queries to a malicious server under their control. This poses a significant risk to end-users, as it can lead to phishing attacks, malware distribution, and other malicious activities.

Attack Chain

1. The attacker identifies a vulnerable Tenda W308R v2 router running firmware V5.07.48 exposed to the internet.
2. The attacker crafts a malicious HTTP GET request targeting the goform/AdvSetDns endpoint.
3. The GET request includes a crafted “admin language cookie” designed to bypass authentication.
4. The router receives the malicious GET request and, due to insufficient session validation, incorrectly authenticates the attacker.
5. The router processes the malicious request, modifying the DNS server settings to attacker-controlled DNS servers.
6. Users connected to the compromised router now resolve domain names through the attacker’s DNS server.
7. The attacker’s DNS server redirects users to malicious websites, potentially serving malware or phishing pages.
8. Users unknowingly interact with the malicious content, leading to data theft, system compromise, or other harmful outcomes.

Impact

Successful exploitation of this vulnerability allows an attacker to control DNS resolution for all devices connected to the affected Tenda W308R v2 router. This can lead to widespread redirection to phishing sites designed to steal credentials, or to sites hosting malware that infects user devices. Given the widespread use of Tenda routers, this vulnerability could impact a large number of home and small business networks. A successful attack allows the attacker to perform man-in-the-middle attacks, eavesdrop on network traffic, and compromise connected devices.

Recommendation

• Deploy the Sigma rule Detect Tenda Router DNS Hijack Attempt to identify attempts to exploit this vulnerability by monitoring for suspicious requests to the /goform/AdvSetDns endpoint (log source: webserver).
• Monitor web server logs for requests containing a crafted admin language cookie to the /goform/AdvSetDns endpoint, indicating potential exploitation attempts (log source: webserver).
• Apply available patches or firmware updates from Tenda to address the cookie session weakness and prevent unauthorized DNS modifications.
• Consider replacing the affected device if a patch is unavailable, especially in high-risk environments.

]]>criticaladvisorycve-2018-25316dns-hijackingtendacookie-injectionhttps://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijacking/Wed, 29 Apr 2026 20:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijacking/Tenda W3002R/A302/W309R routers with firmware V5.07.64_en are vulnerable to unauthenticated DNS hijacking, where attackers exploit a cookie session weakness to modify DNS settings via crafted GET requests.Tenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en are susceptible to a cookie session weakness (CVE-2018-25317). This vulnerability allows unauthenticated attackers to remotely modify DNS settings on the affected devices. The attack exploits insufficient session validation, enabling malicious actors to inject commands and redirect user traffic to attacker-controlled DNS servers. This poses a significant risk as it can lead to phishing attacks, malware distribution, and credential theft. Exploitation is straightforward, requiring only a crafted HTTP GET request, making it accessible to unsophisticated attackers. The vulnerability was reported in April 2026.

Attack Chain

1. An unauthenticated attacker identifies a vulnerable Tenda router with firmware V5.07.64_en.
2. The attacker crafts an HTTP GET request targeting the /goform/AdvSetDns endpoint.
3. The crafted GET request includes a malicious admin language cookie designed to bypass session validation.
4. The attacker injects modified DNS server addresses into the GET request parameters (primary DNS and secondary DNS).
5. The vulnerable router processes the malicious GET request without proper session validation.
6. The router updates its DNS settings to the attacker-specified DNS servers.
7. Users connected to the compromised router now resolve domain names through the attacker’s DNS server.
8. The attacker can redirect user traffic to malicious websites or intercept sensitive information.

Impact

Successful exploitation of CVE-2018-25317 allows attackers to perform DNS hijacking on vulnerable Tenda routers, potentially affecting all connected users. By controlling the DNS server, attackers can redirect users to phishing sites, distribute malware, or intercept sensitive communications. Given the ease of exploitation, a large number of routers could be compromised, leading to widespread disruption and data theft. The severity is heightened because no authentication is required to change the DNS settings.

Recommendation

• Deploy the Sigma rule Detect Tenda Router DNS Setting Modification to monitor web server logs for requests to the /goform/AdvSetDns endpoint.
• Apply network-level filtering to block connections to known malicious DNS servers based on threat intelligence feeds.
• Although no firmware update is available, consider replacing end-of-life Tenda routers (W3002R/A302/W309R with V5.07.64_en) with more secure models.

]]>criticaladvisorycve-2018-25317dns-hijackingrouter-vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-overflow/Tue, 28 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-overflow/A stack-based buffer overflow vulnerability in the formUploadConfig function of Tenda HG3 v2.0's /boaform/formIPv6Routing file allows remote attackers to execute arbitrary code by manipulating the destNet argument.A stack-based buffer overflow vulnerability has been identified in Tenda HG3 version 2.0. The vulnerability exists within the formUploadConfig function of the /boaform/formIPv6Routing file. A remote attacker can exploit this by manipulating the destNet argument, potentially leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-7151, has a publicly available exploit, increasing the risk of exploitation. This poses a significant threat to users of Tenda HG3 v2.0 routers, potentially allowing attackers to gain unauthorized access and control over the device. The CVSS v3.1 score is rated as 8.8 (HIGH).

Attack Chain

1. Attacker identifies a Tenda HG3 v2.0 router with default or known credentials, or no authentication at all.
2. The attacker sends a crafted HTTP POST request to /boaform/formIPv6Routing.
3. The request targets the formUploadConfig function.
4. The destNet argument within the HTTP POST data is manipulated with a string exceeding the buffer size.
5. The formUploadConfig function processes the oversized destNet argument without proper bounds checking.
6. This causes a stack-based buffer overflow, overwriting adjacent memory regions on the stack.
7. The attacker gains arbitrary code execution on the device by overwriting the return address or other critical data on the stack.
8. The attacker can then leverage this to gain full control of the device, potentially modifying settings, injecting malware, or using it as part of a botnet.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda HG3 v2.0 router. This could lead to complete compromise of the device, allowing the attacker to monitor network traffic, change router settings, or use the device as a launchpad for further attacks against other devices on the network. Given the potential for widespread exploitation due to the publicly available exploit, a large number of Tenda HG3 v2.0 users are at risk.

Recommendation

• Monitor web server logs for unusual POST requests to /boaform/formIPv6Routing with excessively long destNet parameters to detect potential exploit attempts (see example Sigma rule below).
• Implement rate limiting for requests to /boaform/formIPv6Routing to mitigate brute-force exploitation attempts.
• Apply available patches or firmware updates from Tenda to address CVE-2026-7151 on vulnerable HG3 2.0 devices.
• Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting the destNet parameter in /boaform/formIPv6Routing.

]]>criticaladvisorycve-2026-7151buffer-overflowtendarouterhttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-command-injection/Mon, 27 Apr 2026 22:16:18 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg3-command-injection/Tenda HG3 2.0 is vulnerable to command injection; by manipulating the datasize argument in the formTracert function of the /boaform/formTracert file, a remote attacker can inject commands.Tenda HG3 2.0 is vulnerable to a command injection vulnerability (CVE-2026-7160) affecting the formTracert function in the /boaform/formTracert file. A remote attacker can exploit this by manipulating the datasize argument to inject arbitrary commands into the system. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. Public disclosure and potential exploitation make this a critical issue for users of the Tenda HG3 2.0 router. Successful exploitation allows an attacker to execute arbitrary commands on the device, potentially leading to complete system compromise.

Attack Chain

1. The attacker identifies a vulnerable Tenda HG3 2.0 router with an exposed web interface.
2. The attacker crafts a malicious HTTP request targeting the /boaform/formTracert endpoint.
3. The malicious request includes a manipulated datasize argument designed to inject a command.
4. The web server processes the request and passes the manipulated datasize argument to the formTracert function.
5. The formTracert function fails to properly sanitize the input, allowing the injected command to be executed by the system.
6. The injected command executes with the privileges of the web server process.
7. The attacker gains arbitrary code execution on the router.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on the Tenda HG3 2.0 router. This can lead to complete compromise of the device, including modification of router settings, interception of network traffic, and potential use of the router as a botnet node. Given the high base score of 8.8, this poses a significant risk to affected users.

Recommendation

• Apply available patches or firmware updates provided by Tenda to address CVE-2026-7160.
• Monitor web server logs for suspicious POST requests to /boaform/formTracert with unusual datasize parameters, as covered by the Sigma rule “Detect Tenda HG3 Command Injection Attempt”.
• Implement network intrusion detection system (IDS) rules to detect and block exploit attempts targeting this vulnerability.

]]>criticaladvisorycommand-injectioncve-2026-7160tendahttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-buffer-overflow/Mon, 27 Apr 2026 09:19:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-buffer-overflow/A buffer overflow vulnerability in Tenda F456 version 1.0.0.5 allows remote attackers to execute arbitrary code via a crafted request to the fromWrlclientSet function in the /goform/WrlclientSet file of the httpd component.A critical buffer overflow vulnerability, identified as CVE-2026-7101, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromWrlclientSet function within the /goform/WrlclientSet file, which is part of the router’s httpd component. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to home and small business networks using the affected Tenda router model, potentially leading to complete device compromise and unauthorized network access. The vulnerability was published on 2026-04-27 and is tracked by VulDB.

Attack Chain

1. An attacker identifies a vulnerable Tenda F456 router running firmware version 1.0.0.5.
2. The attacker crafts a malicious HTTP request targeting the /goform/WrlclientSet endpoint.
3. The crafted request includes an oversized payload designed to overflow the buffer in the fromWrlclientSet function.
4. The httpd process attempts to process the request without proper bounds checking.
5. The buffer overflow occurs, overwriting adjacent memory regions, including critical program data and execution pointers.
6. The attacker gains control of the program execution flow.
7. The attacker executes arbitrary code on the router, potentially including shell commands or custom malware.
8. The attacker achieves complete control of the router, potentially enabling network reconnaissance, data exfiltration, or further attacks on the local network.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda F456 router. This can lead to complete device compromise, allowing the attacker to control network traffic, modify router settings, or use the compromised device as a pivot point for further attacks within the network. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploitation could impact thousands of users.

Recommendation

• Upgrade to a patched firmware version if available from the vendor.
• Implement network segmentation to limit the impact of a compromised router.
• Monitor web server logs for suspicious activity targeting the /goform/WrlclientSet endpoint using the provided Sigma rule.
• Implement an IPS rule to detect and block exploit attempts targeting CVE-2026-7101.

]]>criticaladvisorycve-2026-7101buffer-overflowroutertendaremote-code-executionhttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/Mon, 27 Apr 2026 04:16:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/A buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 in the `fromGstDhcpSetSer` function, allowing remote attackers to execute arbitrary code by manipulating the 'dips' argument via a crafted HTTP request to `/goform/GstDhcpSetSer`.A critical buffer overflow vulnerability, identified as CVE-2026-7081, affects Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromGstDhcpSetSer function within the /goform/GstDhcpSetSer file, a component of the device’s httpd service. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread exploitation. This vulnerability poses a significant threat as it can lead to complete compromise of the affected device, potentially allowing attackers to gain unauthorized access to the network, steal sensitive information, or use the device as part of a botnet.

Attack Chain

1. The attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/GstDhcpSetSer endpoint.
3. The HTTP request includes the dips argument, which is intentionally oversized to trigger the buffer overflow.
4. The vulnerable fromGstDhcpSetSer function processes the request without proper bounds checking.
5. The oversized dips argument overwrites adjacent memory regions on the stack.
6. The attacker carefully crafts the overflow to overwrite the return address with an address pointing to attacker-controlled code.
7. The fromGstDhcpSetSer function returns, causing execution to jump to the attacker’s code.
8. The attacker’s code executes with the privileges of the httpd process, potentially leading to full device compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F456 router. This can result in complete device compromise, including the ability to modify device settings, intercept network traffic, and potentially use the compromised device as a pivot point for further attacks within the network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, making this a significant security concern.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/GstDhcpSetSer with unusually long dips parameter values to detect potential exploitation attempts.
• Deploy the provided Sigma rule Detect Tenda F456 Buffer Overflow Attempt to identify malicious HTTP requests.
• Since no patch is available, consider replacing the affected Tenda F456 routers (version 1.0.0.5) with more secure alternatives.

]]>criticaladvisorycvebuffer_overflowrouterhttps://feed.craftedsignal.io/briefs/2026-04-tenda-path-traversal/Sun, 26 Apr 2026 12:16:22 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-path-traversal/CVE-2026-7036 is a path traversal vulnerability affecting the R7WebsSecurityHandlerfunction in the HTTP Handler component of Tenda i9 version 1.0.0.5(2204), allowing remote attackers to access sensitive files.A path traversal vulnerability, identified as CVE-2026-7036, exists in Tenda i9 version 1.0.0.5(2204). Specifically, the vulnerability resides in the R7WebsSecurityHandlerfunction of the HTTP Handler component. This flaw allows a remote, unauthenticated attacker to potentially access sensitive files and directories on the affected device. The vulnerability was reported on 2026-04-26, and a public exploit is reportedly available, increasing the risk of exploitation. This poses a significant threat to organizations using the affected Tenda i9 router, as it could lead to unauthorized access to sensitive information or system compromise.

Attack Chain

1. An attacker identifies a Tenda i9 router running firmware version 1.0.0.5(2204) accessible over the network.
2. The attacker crafts a malicious HTTP request targeting the vulnerable R7WebsSecurityHandlerfunction.
3. The crafted request includes a path traversal sequence (e.g., “../”) within the URL or request parameters.
4. The Tenda i9 router processes the malicious request without proper sanitization of the path.
5. The R7WebsSecurityHandlerfunction incorrectly interprets the path traversal sequence, allowing access to files or directories outside the intended web root.
6. The attacker gains unauthorized access to sensitive files, such as configuration files or system logs.
7. The attacker may use the exposed information to further compromise the device or the network it is connected to.
8. The attacker could potentially modify system files or execute commands, leading to full device compromise.

Impact

Successful exploitation of CVE-2026-7036 can lead to unauthorized access to sensitive files on the Tenda i9 router. This includes configuration files containing credentials, system logs, or other confidential data. An attacker could leverage this access to gain further control of the device, potentially leading to a complete system compromise. While the number of affected devices is currently unknown, given the widespread use of Tenda routers, the potential impact could be significant.

Recommendation

• Deploy the provided Sigma rule to detect HTTP requests containing path traversal sequences targeting web servers to detect exploitation attempts (Sigma rule: “Detect Tenda i9 Path Traversal Attempt”).
• Since the source mentions a public exploit exists, prioritize patching or replacing vulnerable Tenda i9 routers to remediate CVE-2026-7036 immediately, if a patch becomes available.
• Monitor web server logs for unusual file access patterns or requests containing suspicious path traversal sequences.
• Implement web application firewall (WAF) rules to block requests containing path traversal sequences.

]]>highadvisorycve-2026-7036path-traversaltendanetworkhttps://feed.craftedsignal.io/briefs/2026-04-tenda-buffer-overflow/Sun, 26 Apr 2026 11:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-buffer-overflow/A buffer overflow vulnerability in Tenda F456 router version 1.0.0.5 allows a remote attacker to execute arbitrary code by exploiting the fromSafeClientFilter function in the /goform/SafeClientFilter endpoint through manipulation of the 'menufacturer/Go' argument.A buffer overflow vulnerability has been identified in Tenda F456 router, specifically version 1.0.0.5. The vulnerability resides within the fromSafeClientFilter function located in the /goform/SafeClientFilter file. Successful exploitation allows a remote attacker to inject and execute arbitrary code. Publicly available exploit code exists, increasing the risk of widespread exploitation targeting vulnerable Tenda F456 devices. This issue poses a significant threat to network security, as a compromised router can lead to data breaches, denial of service, or further network intrusion.

Attack Chain

1. The attacker identifies a Tenda F456 router running firmware version 1.0.0.5 exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/SafeClientFilter endpoint.
3. The crafted request includes a specially designed payload within the menufacturer/Go argument. This payload is designed to trigger a buffer overflow in the fromSafeClientFilter function.
4. The fromSafeClientFilter function processes the malicious input without proper bounds checking.
5. The oversized payload overwrites adjacent memory regions, potentially including return addresses or other critical data.
6. When the fromSafeClientFilter function attempts to return, the overwritten return address is used, redirecting execution flow to attacker-controlled memory.
7. The attacker-controlled memory contains shellcode or other malicious instructions.
8. The router executes the attacker’s code, granting the attacker control over the device.

Impact

Successful exploitation of this vulnerability can result in complete compromise of the Tenda F456 router. An attacker can gain unauthorized access to network traffic, modify router settings, or use the compromised device as a launchpad for further attacks within the network. Given the public availability of exploit code, a large number of Tenda F456 routers could be targeted, potentially affecting numerous home and small business networks. A successful attack could lead to data theft, service disruption, and reputational damage.

Recommendation

• Apply any available patches or firmware updates released by Tenda to address CVE-2026-7033 on the F456 1.0.0.5 routers.
• Implement network intrusion detection systems (IDS) or intrusion prevention systems (IPS) rules to detect and block malicious requests targeting the /goform/SafeClientFilter endpoint.
• Deploy the Sigma rules provided below to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
• Monitor web server logs for suspicious POST requests to /goform/SafeClientFilter with abnormally large menufacturer/Go argument values.

]]>criticaladvisorybuffer-overflowremote-code-executioncve-2026-7033routerhttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg10-bo/Sat, 25 Apr 2026 18:18:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-hg10-bo/A buffer overflow vulnerability in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon allows remote attackers to execute arbitrary code by manipulating the nextHop argument in the formRoute function of the /boaform/formRouting file, impacting device availability and integrity.A buffer overflow vulnerability, identified as CVE-2026-6988, has been discovered in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon. The vulnerability resides within the Boa Service, specifically affecting the formRoute function located in the /boaform/formRouting file. Successful exploitation of this flaw enables a remote attacker to overwrite memory by crafting a malicious request with a manipulated nextHop argument. This can lead to arbitrary code execution on the affected device. Given the potential for remote exploitation and the availability of a published exploit, this vulnerability poses a significant threat.

Attack Chain

1. The attacker identifies a vulnerable Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device with the vulnerable Boa web service exposed.
2. The attacker crafts a malicious HTTP request targeting the /boaform/formRouting endpoint.
3. The crafted request includes a specially crafted nextHop argument, exceeding the buffer size allocated for it.
4. The Boa service processes the request without proper bounds checking on the nextHop argument.
5. The oversized nextHop argument overwrites adjacent memory regions, including critical program data or return addresses.
6. The overwritten return address redirects execution flow to attacker-controlled code.
7. The attacker executes arbitrary code on the device with the privileges of the Boa service.
8. The attacker gains control of the device, potentially leading to data exfiltration, device hijacking, or further network compromise.

Impact

Successful exploitation of CVE-2026-6988 can lead to complete compromise of the affected Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device. This may result in unauthorized access to the device’s configuration, sensitive data exposure, or the device being used as a bot in a larger attack. Given that this device is likely used in home or small business environments, a successful attack could lead to significant data breaches, financial losses, and reputational damage. The availability of a public exploit increases the likelihood of widespread exploitation.

Recommendation

• Apply available patches or firmware updates released by Tenda to address CVE-2026-6988 as soon as possible.
• Implement network segmentation to limit the exposure of Tenda devices to the internet or untrusted networks.
• Monitor web server logs for suspicious activity targeting the /boaform/formRouting endpoint to detect potential exploit attempts (webserver log source).
• Deploy the Sigma rule “Detect Tenda HG10 Buffer Overflow Attempt” to identify malicious HTTP requests exploiting the nextHop argument (Sigma rule).
• Implement rate limiting on the /boaform/formRouting endpoint to mitigate potential brute-force exploitation attempts.

]]>criticaladvisorybuffer-overflowcve-2026-6988tendaiothttps://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/Wed, 03 Jan 2024 18:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability (CVE-2018-25318) that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation, potentially redirecting user traffic to malicious sites.CVE-2018-25318 affects Tenda FH303/A300 routers running firmware version V5.07.68_EN. This vulnerability stems from a session weakness related to insufficient cookie validation. An unauthenticated attacker can exploit this flaw to modify the DNS settings of the router. By sending a crafted GET request to the /goform/AdvSetDns endpoint, an attacker can inject a malicious admin cookie. This allows them to overwrite the configured DNS servers, potentially redirecting all network traffic from connected devices through attacker-controlled infrastructure. This can lead to phishing attacks, malware distribution, and other malicious activities. The vulnerability poses a significant risk to home and small office networks using the affected Tenda routers.

Attack Chain

1. An attacker identifies a vulnerable Tenda FH303/A300 router running firmware V5.07.68_EN.
2. The attacker crafts a malicious HTTP GET request targeting the /goform/AdvSetDns endpoint.
3. The crafted GET request includes a forged admin cookie, bypassing authentication checks due to the session weakness.
4. The attacker sends the crafted GET request to the router’s management interface.
5. The router, due to insufficient cookie validation, accepts the forged cookie and processes the request.
6. The request modifies the DNS server settings on the router, replacing the legitimate DNS servers with attacker-controlled DNS servers.
7. Users connected to the router unknowingly use the attacker’s DNS servers for name resolution.
8. DNS requests are redirected to malicious IPs controlled by the attacker, potentially leading to phishing sites or malware downloads.

Impact

Successful exploitation of CVE-2018-25318 allows an attacker to perform DNS hijacking on affected Tenda routers. This can redirect users to malicious websites designed to steal credentials, distribute malware, or conduct other harmful activities. The vulnerability poses a critical risk to users of the affected routers, as it can compromise their online security and privacy. The CVSS v3.1 base score for this vulnerability is 9.8, highlighting its severity. The number of affected users is dependent on the number of deployed vulnerable devices.

Recommendation

• Monitor web server logs for requests to /goform/AdvSetDns with unusual parameters (Sigma rule: “Detect Tenda Router DNS Hijacking Attempt”).
• If possible, upgrade the router firmware to a version that patches CVE-2018-25318.
• Implement network segmentation to limit the impact of compromised devices.
• Consider using a reputable DNS service with built-in security features to mitigate the impact of DNS hijacking attacks.

]]>criticaladvisorycve-2018-25318tendadns-hijackingnetworkhttps://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-hg3-command-injection/A command injection vulnerability (CVE-2026-7096) exists in the Tenda HG3 2.0 300003070 router, allowing remote attackers to execute arbitrary OS commands by manipulating the 'fmgpon_loid' argument in the 'formgponConf' function of the '/boaform/admin/formgponConf' file due to insufficient input validation.A critical command injection vulnerability, identified as CVE-2026-7096, affects Tenda HG3 2.0 300003070 routers. The vulnerability resides in the ‘formgponConf’ function within the ‘/boaform/admin/formgponConf’ file. An attacker can exploit this flaw by manipulating the ‘fmgpon_loid’ argument. Successful exploitation allows a remote attacker to execute arbitrary operating system commands on the affected device. Given the public availability of an exploit, Tenda HG3 devices are at immediate risk of compromise. This poses a significant threat as attackers can potentially gain full control of the router, compromise connected networks, and exfiltrate sensitive information.

Attack Chain

1. The attacker identifies a vulnerable Tenda HG3 2.0 300003070 router with an exposed web interface.
2. The attacker crafts a malicious HTTP POST request targeting the ‘/boaform/admin/formgponConf’ endpoint.
3. The attacker injects a payload containing OS commands into the ‘fmgpon_loid’ parameter of the POST request.
4. The Tenda HG3 router’s web server processes the request without proper input validation of the ‘fmgpon_loid’ parameter.
5. The injected OS command is executed by the router’s operating system with the privileges of the web server process.
6. The attacker gains remote code execution on the Tenda HG3 router.
7. The attacker may establish a reverse shell to maintain persistent access or download further malicious payloads.
8. The attacker can then pivot to internal networks, exfiltrate data, or use the compromised router for other malicious activities.

Impact

Successful exploitation of CVE-2026-7096 grants attackers the ability to execute arbitrary OS commands on the Tenda HG3 router. This can lead to complete compromise of the device, allowing attackers to modify router settings, intercept network traffic, and potentially gain access to connected devices on the local network. Given the widespread use of Tenda routers in home and small business environments, a successful attack could impact thousands of users. The vulnerability’s high CVSS score of 8.8 underscores the severity and potential for widespread damage.

Recommendation

• Deploy the Sigma rule “Detect Tenda HG3 Command Injection Attempt” to your SIEM to identify exploitation attempts by monitoring HTTP POST requests to ‘/boaform/admin/formgponConf’ with suspicious commands in the ‘fmgpon_loid’ parameter.
• Implement network intrusion detection system (NIDS) rules to detect malicious payloads in HTTP POST requests targeting the vulnerable endpoint, as described in the “Attack Chain” section.
• While no specific IOCs are provided, analyze network traffic and web server logs for unusual activity originating from or targeting Tenda HG3 routers.
• Monitor web server logs for HTTP POST requests to /boaform/admin/formgponConf (described in Attack Chain step 2).

]]>criticaladvisorycommand-injectionroutertendahttps://feed.craftedsignal.io/briefs/2024-01-tenda-fh1202-bo/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-fh1202-bo/A stack-based buffer overflow vulnerability exists in the Tenda FH1202 router, specifically in the WrlExtraSet function, allowing remote attackers to execute arbitrary code by manipulating the 'Go' argument in a request to /goform/WrlExtraSet.A critical stack-based buffer overflow vulnerability, identified as CVE-2026-7034, has been discovered in Tenda FH1202 version 1.2.0.14(408). The vulnerability resides within the WrlExtraSet function of the /goform/WrlExtraSet component, which is part of the device’s httpd server. A remote attacker can exploit this vulnerability by crafting a malicious HTTP request that manipulates the Go argument, leading to arbitrary code execution on the affected device. The exploit for this vulnerability has been made public, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to users of the Tenda FH1202 router as it allows for complete compromise of the device.

Attack Chain

1. The attacker identifies a vulnerable Tenda FH1202 router exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/WrlExtraSet endpoint.
3. The crafted request includes a Go parameter with a payload exceeding the expected buffer size, triggering the stack-based buffer overflow.
4. The overflow overwrites critical return addresses on the stack.
5. The overwritten return address is redirected to malicious code injected by the attacker within the overflowed buffer.
6. The injected code executes with the privileges of the httpd process.
7. The attacker gains complete control of the device, potentially allowing for the installation of malware, modification of router settings, or interception of network traffic.

Impact

Successful exploitation of this vulnerability allows a remote attacker to gain complete control of the Tenda FH1202 router. This can lead to a variety of malicious activities, including installing persistent backdoors, modifying DNS settings to redirect traffic, or using the compromised device as part of a botnet. The lack of required authentication for exploitation increases the severity, making it easily exploitable. While the exact number of affected devices is unknown, the widespread use of Tenda routers suggests a potentially large number of vulnerable targets.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/WrlExtraSet with unusually long Go parameter values to detect potential exploitation attempts. Reference the Sigma rule Detect Suspicious WrlExtraSet Requests.
• Implement rate limiting for requests to the /goform/WrlExtraSet endpoint to mitigate brute-force exploitation attempts.
• Consider blocking or alerting on requests to /goform/WrlExtraSet originating from outside the expected user base (e.g., requests originating from outside the country where the organization operates).

]]>criticaladvisorycve-2026-7034buffer-overflowroutertendahttps://feed.craftedsignal.io/briefs/2024-01-tenda-f456-buffer-overflow/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-f456-buffer-overflow/A remote buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 via manipulation of the 'page' argument in the fromDhcpListClient function of the /goform/DhcpListClient component, potentially leading to arbitrary code execution.A critical buffer overflow vulnerability, identified as CVE-2026-7098, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides within the fromDhcpListClient function of the /goform/DhcpListClient component’s httpd service. An attacker can exploit this flaw by remotely manipulating the page argument, leading to a buffer overflow. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could allow an attacker to execute arbitrary code on the device, potentially gaining full control of the router and the network it serves. This poses a significant threat to home and small business users relying on these routers.

Attack Chain

1. Attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) accessible over the network.
2. The attacker crafts a malicious HTTP request targeting the /goform/DhcpListClient endpoint.
3. The crafted request includes a page argument with a payload designed to overflow the buffer in the fromDhcpListClient function.
4. The httpd service processes the request and calls the fromDhcpListClient function.
5. Due to insufficient bounds checking, the oversized payload overwrites the buffer, potentially overwriting adjacent memory regions.
6. The attacker’s payload overwrites the return address on the stack with a pointer to attacker-controlled code.
7. The fromDhcpListClient function returns, causing execution to jump to the attacker-controlled code.
8. The attacker-controlled code executes with the privileges of the httpd service, potentially allowing for full control of the device.

Impact

Successful exploitation of this vulnerability can allow a remote attacker to execute arbitrary code on the Tenda F456 router. This could lead to a complete compromise of the device, allowing the attacker to modify router settings, intercept network traffic, or use the router as a pivot point for further attacks within the network. Given the ease of exploitation and public availability of exploit code, a large number of Tenda F456 users are at risk.

Recommendation

• Monitor web server logs for suspicious requests to /goform/DhcpListClient with unusually long page parameters to detect potential exploitation attempts (see Sigma rule “Detect Tenda F456 Buffer Overflow Attempt”).
• Implement rate limiting on requests to the /goform/DhcpListClient endpoint to mitigate the impact of potential attacks.
• Deploy the Sigma rule “Detect Tenda F456 Buffer Overflow Response” to identify successful exploitation attempts based on server response codes.

]]>criticaladvisorycve-2026-7098buffer-overflowrouter