Description
A security vulnerability has been detected in Tenda JD12L 16.03.53.23. Impacted is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. Such manipulation of the argument startIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-06-28
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack‑based buffer overflow exists in the formSetPPTPServer function of Tenda JD12L firmware 16.03.53.23, triggered by malicious input to the startIp parameter in the /goform/SetPptpServerCfg endpoint. The flaw, identified as CVE‑2026‑13515, can be exploited remotely and may lead to arbitrary code execution or full system compromise. The vulnerability is evaluated with a CVSS score of 8.7, indicating high severity, and is categorized under CWE‑119 (Buffer Overflow) and CWE‑121 (Stack-based Buffer Overflow).

Affected Systems

Tenda JD12L router, firmware version 16.03.53.23. All devices running this exact firmware are susceptible; newer releases are presumed patched unless confirmed otherwise.

Risk and Exploitability

The exploit is remotely accessible and has been publicly disclosed, indicating that attackers could target the vulnerable endpoint over the network. While EPSS is not available, the high CVSS score and lack of a KEV listing suggest a significant risk of exploitation. An attacker would need to send a specially crafted startIp value to trigger the overflow, allowing control over the execution flow of the router’s firmware.

Generated by OpenCVE AI on June 29, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tenda JD12L firmware to the latest version that includes the overflow fix.
  • Restrict external access to the /goform/SetPptpServerCfg endpoint, or place it behind a firewall or VPN so only trusted devices can communicate with it.
  • If the PPTP server function is not needed, disable it entirely in the router’s settings to eliminate the attack surface.

Generated by OpenCVE AI on June 29, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Tenda JD12L 16.03.53.23. Impacted is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. Such manipulation of the argument startIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Title Tenda JD12L SetPptpServerCfg formSetPPTPServer stack-based overflow
First Time appeared Tenda
Tenda jd12l
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:h:tenda:jd12l:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda jd12l
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Jd12l
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T23:30:10.966Z

Reserved: 2026-06-28T06:45:40.498Z

Link: CVE-2026-13515

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T00:30:04Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-121

    Stack-based Buffer Overflow