Tenda F1202 PptpUserAdd fromPptpUserAdd stack-based overflow
Description
A vulnerability was identified in Tenda F1202 1.2.0.20(408). This affects the function fromPptpUserAdd of the file /goform/PptpUserAdd. The manipulation of the argument opttype leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Tenda F1202 router's fromPptpUserAdd function allows remote unauthenticated attackers to cause denial of service or execute arbitrary code.
Vulnerability
A stack-based buffer overflow vulnerability exists in the fromPptpUserAdd function of the Tenda F1202 router, specifically in firmware version 1.2.0.20(408). The function is located in the /goform/PptpUserAdd file and processes the opttype and username parameters. When opttype is set to 1, the username parameter is passed to sprintf without any length check, leading to overflow of a stack-based buffer s__3. This vulnerability is triggered via a POST request to the /goform/PPTPDClient endpoint [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending a crafted HTTP POST request to the vulnerable endpoint. The request must include opttype=1 and a long username string (e.g., 1785 characters of 'a') to overflow the buffer. The exploit is publicly available and includes a proof-of-concept (PoC) that demonstrates the attack [1]. No user interaction or special network position is required beyond network access to the router's web interface.
Impact
Successful exploitation can result in denial of service (DoS) due to crash of the httpd process, or remote code execution (RCE) with the privileges of the web server. This could allow an attacker to fully compromise the router, potentially leading to further network attacks or data exfiltration [1].
Mitigation
As of the publication date, no official patch or firmware update has been released by Tenda to address this vulnerability. The vendor's website [2] does not list a fixed version. Users are advised to restrict remote access to the router's management interface, monitor for suspicious traffic, and consider replacing the device if it reaches end-of-life. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length validation in fromPptpUserAdd allows sprintf to overflow a stack buffer when opttype is 1."
Attack vector
An attacker sends a crafted POST request to `/goform/PPTPDClient` with `opttype=1` and an overly long `username` value. When `opttype` is 1, the `sprintf` function copies the `username` into a stack-based buffer `s__3` without any length check, causing a buffer overflow [ref_id=1]. The attack is remotely exploitable over the network with no authentication required [ref_id=1].
Affected code
The vulnerability resides in the `fromPptpUserAdd` function within the file `/goform/PptpUserAdd` of the Tenda F1202 firmware version 1.2.0.20(408). The function reads user-supplied parameters `username` and `opttype` without proper length validation [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory recommends that input length validation be added before the `sprintf` call in `fromPptpUserAdd` to prevent the stack-based buffer overflow when `opttype` equals 1 [ref_id=1]. Without such a fix, an attacker can trigger a denial of service or remote code execution.
Preconditions
- configThe target device must be running Tenda F1202 firmware version 1.2.0.20(408).
- networkThe attacker must have network access to the device's web interface.
- authNo authentication is required; the vulnerable endpoint is reachable without prior login.
- inputThe attacker sends a POST request with opttype=1 and an oversized username parameter.
Reproduction
Send a POST request to `/goform/PPTPDClient` with `opttype=1` and a long string of `a` characters as the `username` parameter. The exact PoC payload is provided in the reference write-up [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/F1202/vul_35/README.mdmitreexploit
- vuldb.com/submit/813916mitrethird-party-advisory
- vuldb.com/vuln/365412mitrevdb-entrytechnical-description
- vuldb.com/vuln/365412/ctimitresignaturepermissions-required
- www.tenda.com.cnmitreproduct
News mentions
0No linked articles in our index yet.