CVE-2026-11524
Description
Tenda W20E routers running firmware 15.11.0.6 are vulnerable to a stack-based buffer overflow via the web management interface, potentially leading to RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda W20E routers running firmware 15.11.0.6 are vulnerable to a stack-based buffer overflow via the web management interface, potentially leading to RCE.
Vulnerability
A stack-based buffer overflow vulnerability exists in the web management interface of Tenda W20E enterprise routers, specifically in the modifyWifiFilterRules function located at /goform/modifyWifiFilterRules. This vulnerability affects version 15.11.0.6. The issue arises from the unsafe use of the sprintf function when constructing a configuration string, which processes user-controlled parameters including wifiFilterListRemark [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a POST request to the /goform/modifyWifiFilterRules endpoint. The attack requires the attacker to manipulate the wifiFilterListRemark parameter with an overly long string. The provided proof-of-concept demonstrates that after authenticating to the router, a payload of 1000 'A' characters can be sent in the wifiFilterListRemark field to trigger the overflow [1].
Impact
Successful exploitation of this stack-based buffer overflow can lead to a crash of the web service, resulting in a Denial of Service (DoS). Additionally, it may allow for Remote Code Execution (RCE), granting the attacker control over the affected device [1].
Mitigation
The affected version is Tenda W20E 15.11.0.6. A fixed version and release date are not yet disclosed in the available references. There are no workarounds mentioned, and the device is not listed as end-of-life or on the KEV list [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The function modifyWifiFilterRules uses sprintf with user-controlled input, leading to a stack-based buffer overflow."
Attack vector
An attacker can exploit this vulnerability by sending a POST request to the /goform/modifyWifiFilterRules endpoint with a long string in the wifiFilterListRemark parameter. This parameter is processed by the vulnerable function, which does not properly validate its size. The attack can be initiated remotely and does not require authentication, as indicated by the CVSS vector [ref_id=1]. Successful exploitation can lead to a denial of service or remote code execution [ref_id=1].
Affected code
The vulnerability resides in the modifyWifiFilterRules function, which is mapped to the /goform/modifyWifiFilterRules endpoint. The issue occurs during the construction of a configuration string using the unsafe sprintf function, which processes user-controlled parameters like wifiFilterListRemark [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance is not available in the provided information.
Preconditions
- authNo authentication is required to trigger the vulnerability.
- networkThe vulnerability is remotely exploitable.
Reproduction
import requests import base64
host = "192.168.0.1" s = requests.session()
def trigger_overflow(): encoded_pwd = base64.b64encode(b"aaaa").decode() s.post(f"http://{host}/goform/setQuickCfgWifiAndLogin", data={"sysUserPassword": encoded_pwd}) if not s.cookies.get("user"): s.cookies.set("user", "admin")
url = f"http://{host}/goform/modifyWifiFilterRules" payload = "A" * 1000 resp = s.post(url, data={"wifiFilterListRemark": payload}, timeout=5) print(resp.content)
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Tenda Routers: 13 Stack Overflow and Command Injection Vulnerabilities DisclosedVypr Intelligence · Jun 8, 2026