CVE-2026-11504 - Vulnerability Details

- Tenda CX12L Wi-Fi Schedule Configuration Endpoint openSchedWifi setSchedWifi stack-based overflow

Description

A vulnerability was detected in Tenda CX12L 16.03.53.12. The impacted element is the function setSchedWifi of the file /goform/openSchedWifi of the component Wi-Fi Schedule Configuration Endpoint. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.

Published: 2026-06-08

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stack-based buffer overflow exists in the setSchedWifi function of the Wi‑Fi Schedule Configuration Endpoint /goform/openSchedWifi on Tenda CX12L firmware 16.03.53.12. Manipulating the parameters schedStartTime or schedEndTime allows an attacker to overflow a stack buffer, which can lead to arbitrary code execution when the vulnerable module is invoked. This flaw directly compromises the confidentiality, integrity, and availability of the device by giving an attacker the ability to run malicious code remotely.

Affected Systems

The vulnerable product is the Tenda CX12L router running firmware version 16.03.53.12. Systems using this model and firmware are susceptible to the overflow unless a patch or firmware upgrade is applied.

Risk and Exploitability

The CVSS score of 8.7 classifies the vulnerability as High severity. No EPSS value is available, but the flaw is public and can be exploited remotely. The vulnerability is not listed in CISA’s KEV catalog, yet its remote nature and high impact make it a strong candidate for immediate action. Exploitation requires network connectivity to the router’s administrative interface and target the Wi‑Fi schedule configuration endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tenda

CX12L

affected

Version	Status	Constraints
`16.03.53.12`	affected	—

No data.

Vendor Product Confidence Versions

Tenda

Cx12l

100%

Version	Status	Scheme	Platform
`16.03.53.12`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update released by Tenda that fixes the openSchedWifi stack overflow bug.
If an update is not available, disable or lock down the Wi‑Fi schedule configuration endpoint to prevent external manipulation.
Ensure that administrative interfaces are only accessible from trusted networks or through VPNs, and monitor for anomalous access attempts on the affected endpoints.

Generated by OpenCVE AI on June 8, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00088.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/cve-a/moist/issues/2
https://vuldb.com/cve/CVE-2026-11504
https://vuldb.com/submit/835649
https://vuldb.com/vuln/369124
https://vuldb.com/vuln/369124/cti
https://www.tenda.com.cn/

History

Mon, 08 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda cx12l
Vendors & Products		Tenda cx12l

Mon, 08 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 11:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Tenda CX12L 16.03.53.12. The impacted element is the function setSchedWifi of the file /goform/openSchedWifi of the component Wi-Fi Schedule Configuration Endpoint. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.
Title		Tenda CX12L Wi-Fi Schedule Configuration Endpoint openSchedWifi setSchedWifi stack-based overflow
First Time appeared		Tenda Tenda cx12l Firmware
Weaknesses		CWE-119 CWE-121
CPEs		cpe:2.3:o:tenda:cx12l_firmware::::::::
Vendors & Products		Tenda Tenda cx12l Firmware
References		https://github.com/cve-a/moist/issues/2 https://vuldb.com/cve/CVE-2026-11504 https://vuldb.com/submit/835649 https://vuldb.com/vuln/369124 https://vuldb.com/vuln/369124/cti https://www.tenda.com.cn/
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tenda Cx12l Cx12l Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T10:00:13.594Z

Updated: 2026-06-08T10:00:13.594Z

Reserved: 2026-06-07T14:01:17.439Z

Link: CVE-2026-11504

Vulnrichment

Updated: 2026-06-08T12:57:13.607Z

NVD

Status : Received

Published: 2026-06-08T12:16:30.580

Modified: 2026-06-08T12:16:30.580

Link: CVE-2026-11504

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T13:30:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object