Five Stack-Buffer-Overflow CVEs Disclosed in Tenda F1202 & F456 Routers in 16-Hour Batch
Five high-severity stack-based buffer overflow vulnerabilities were disclosed across two Tenda router models in a 16-hour window, with public exploits already available for all five CVEs.
Tenda found itself in the spotlight on May 24–25, 2026, when five high-severity CVEs landed in public disclosure within a 16-hour window — four targeting the F1202 router (firmware 1.2.0.20(408)) and one hitting the F456 router (firmware 1.0.0.5). Every single vulnerability is a stack-based buffer overflow, carries a CVSSv3 score of 8.8, and already has a publicly available exploit. For users of these aging SOHO routers, the message is urgent: patch or isolate.
Four CVEs in the Tenda F1202 — same bug class, different endpoints. The largest cluster centers on the F1202's /goform CGI handlers. CVE-2026-9431 affects the fromPptpUserAdd function via the opttype argument in /goform/PptpUserAdd, allowing a remote attacker to overflow the stack. CVE-2026-9430 hits formGstDhcpSetSer in /goform/GstDhcpSetSerof through the dips argument. CVE-2026-9429 exploits formWrlExtraSet in /goform/WrlExtraSet by manipulating the delno argument. And CVE-2026-9428 targets fromPPTPUserSetting in /goform/PPTPUserSetting, again via the delno argument. All four share the same root cause: the firmware fails to validate input length before copying data into fixed-size stack buffers, a classic memory-corruption pattern that can lead to remote code execution on the device.
A fifth CVE in the Tenda F456. The batch is rounded out by CVE-2026-9389, which affects the F456 model — a different device but the same vulnerability class. The flaw lives in the frmL7ImForm function inside /goform/L7Im, where the page argument is copied without bounds checking, causing a buffer overflow. Like its F1202 counterparts, this bug is remotely exploitable and has a public exploit.
Exploitation context. All five CVEs have their exploits publicly disclosed — meaning proof-of-concept code is available on the open web. While none of the input sources indicate active in-the-wild exploitation by a named threat actor at the time of disclosure, the combination of remote attack vector, no authentication requirement implied by the /goform handler pattern, and public exploit code makes these attractive targets for botnets and IoT malware campaigns. Tenda SOHO routers have historically been a favorite target for Mirai-variant botnets.
Patch and mitigation status. As of the disclosure date, Tenda has not released a coordinated security advisory for this batch. The F1202 firmware version 1.2.0.20(408) and F456 firmware version 1.0.0.5 are the confirmed affected builds. Users should check Tenda's official support portal for firmware updates. In the absence of a patch, network administrators are advised to restrict remote access to the router's web management interface — do not expose the /goform endpoints to the internet — and consider placing affected devices behind a firewall or replacing them if they are end-of-life.
Why this batch matters. Five buffer-overflow CVEs, all high severity, all with public exploits, disclosed in a single 16-hour window, across two router models from the same vendor, is a signal. It suggests either a coordinated researcher disclosure or a code-audit dump that found the same insecure coding pattern repeated across Tenda's firmware base. For the thousands of small-office and home users running F1202 or F456 routers, the window for proactive defense is narrow. The next step is to watch for a consolidated Tenda advisory and for any signs that these exploits have been incorporated into IoT botnet toolkits.