CVE-2026-11523
Description
Tenda W20E routers are vulnerable to a stack-based buffer overflow in the Web Management Interface, allowing remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda W20E routers are vulnerable to a stack-based buffer overflow in the Web Management Interface, allowing remote code execution.
Vulnerability
A stack-based buffer overflow vulnerability exists in the formPortalAuth function within the Web Management Interface of Tenda W20E routers, specifically affecting version 15.11.0.6. The vulnerability is triggered by manipulating the gotoUrl parameter in the /goform/PortalAuth endpoint, which lacks proper length validation before being copied to a fixed-size stack buffer [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a POST request to the /goform/PortalAuth endpoint with a crafted gotoUrl parameter containing a string significantly longer than the expected 256 bytes. This overflow overwrites the return address on the stack, allowing control flow hijacking. The attacker needs to be able to reach the device over the network [1].
Impact
Successful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition by crashing the service, or it can result in remote code execution (RCE) with root privileges on the affected device [1].
Mitigation
Version 15.11.0.6 of the Tenda W20E is affected. A patch or updated firmware version is not explicitly mentioned in the provided references. No workarounds are currently disclosed, and the device's End-of-Life (EOL) status or inclusion in any Known Exploited Vulnerabilities (KEV) catalog is not specified [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The function formPortalAuth does not validate the length of the gotoUrl parameter before copying it to a fixed-size buffer."
Attack vector
An attacker can trigger this vulnerability by sending a maliciously crafted, overly long string within the gotoUrl parameter to the /goform/PortalAuth endpoint. This can be launched remotely and does not require special privileges. Successful exploitation can lead to a service crash or Remote Code Execution [ref_id=1].
Affected code
The vulnerability exists within the formPortalAuth function, which handles portal authentication requests. The function allocates a fixed-size stack buffer named redirect_url of 256 bytes and uses the unsafe strcpy function to copy the gotoUrl input into this buffer without length validation [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory recommends updating to a fixed version, but does not specify which version contains the fix. Users should consult the vendor for remediation guidance [ref_id=1].
Preconditions
- networkThe target device must be accessible over the network.
- authThe attacker may need to authenticate to the web management interface, though the advisory implies it can be exploited remotely, suggesting unauthenticated access might also be possible depending on the specific configuration [ref_id=1].
Reproduction
import requests import base64
host = "192.168.0.1" s = requests.session()
def trigger_overflow(): encoded_pwd = base64.b64encode(b"aaaa").decode() s.post(f"http://{host}/goform/setQuickCfgWifiAndLogin", data={"sysUserPassword": encoded_pwd}) if not s.cookies.get("user"): s.cookies.set("user", "admin")
url = f"http://{host}/goform/PortalAuth" payload = "A" * 1000 resp = s.post(url, data={"gotoUrl": payload}, timeout=5) print(resp.content)
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Tenda Routers: 13 Stack Overflow and Command Injection Vulnerabilities DisclosedVypr Intelligence · Jun 8, 2026