CVE-2026-4904

Vulnerability

Overview

The Tenda AC5 router running firmware version 15.03.06.47 contains a stack-based buffer overflow vulnerability in the formSetCfm function, exposed through the /goform/setcfm POST request handler [1]. The flaw lies in how the funcpara1 argument is processed without proper bounds checking, leading to corruption of stack memory when an oversized value is supplied.

Exploitation

Details

An unauthenticated remote attacker can exploit this issue by sending a crafted HTTP POST request to the /goform/setcfm endpoint with an excessively long funcpara1 parameter [1]. The router's web interface listens by default on port 80, and no prior authentication is required to trigger the overflow. This makes the attack surface broad, as any network-connected device can reach the vulnerable endpoint.

Impact

Assessment

Successful exploitation overwrites critical stack data, allowing the attacker to achieve arbitrary code execution with the privileges of the web server process. This effectively grants full control over the router [1]. Given the router's role as a network gateway, an attacker could intercept, modify, or redirect traffic, compromise connected devices, or use the router as a pivot for further attacks within the local network.

Mitigation

Status

At the time of this writing, Tenda's website [1] does not list a firmware update addressing this vulnerability. The exploit has been publicly disclosed [1], increasing the risk of active exploitation. Affected users should monitor Tenda's official support channels for a security patch and consider placing the router behind a firewall or limiting remote access as interim mitigation.