Description
A flaw has been found in Tenda A21 1.0.0.0. Impacted is the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set. Executing a manipulation of the argument ssid can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used.
Published: 2026-02-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Stack-Based Buffer Overflow
Action: Update Firmware
AI Analysis

Impact

A stack‑based buffer overflow exists in Tenda A21 routers’ firmware 1.0.0.0, specifically within the form_fast_setting_wifi_set function of the /goform/fast_setting_wifi_set endpoint. A crafted ssid parameter that exceeds the expected input size can trigger the overflow, potentially allowing an attacker to inject and execute arbitrary code on the device. This flaw is classified as a classic buffer overflow (CWE‑119) and stack corruption (CWE‑121).

Affected Systems

All Tenda A21 routers running firmware version 1.0.0.0 are affected. The vulnerability is only reported for this version, and no other firmware releases or product variants are listed. The flaw resides in the web‑based configuration interface, making remote access a vector for exploitation.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity, but the EPSS score is less than 1 %, showing that widespread exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. An attacker only needs to send a maliciously crafted POST request to the /goform/fast_setting_wifi_set endpoint from a remote location; based on the description of remote exploitation via the web interface, it is inferred that the vulnerable endpoint does not require authentication, making the attack remotely accessible. Published proof‑of‑concept code demonstrates that an exploit can be triggered remotely, implying that the risk remains significant for exposed devices.

Generated by OpenCVE AI on April 18, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Tenda’s website or product support page for a firmware update that addresses the buffer‑overflow flaw and install the latest available firmware.
  • If no updated firmware is available, disable remote management of the router’s web interface or restrict access to trusted IP ranges to eliminate the attack surface.
  • Implement network‑level controls, such as firewall or ACL rules, to block or limit POST requests to /goform/fast_setting_wifi_set that carry an ssid parameter larger than the router’s maximum expected length, preventing malformed inputs from reaching the vulnerable code.

Generated by OpenCVE AI on April 18, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda a21 Firmware
CPEs cpe:2.3:h:tenda:a21:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:a21_firmware:1.0.0.0:*:*:*:*:*:*:*
Vendors & Products Tenda a21 Firmware

Mon, 23 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda a21
Vendors & Products Tenda
Tenda a21

Sat, 21 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Tenda A21 1.0.0.0. Impacted is the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set. Executing a manipulation of the argument ssid can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used.
Title Tenda A21 fast_setting_wifi_set form_fast_setting_wifi_set stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda A21 A21 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T15:41:47.302Z

Reserved: 2026-02-20T14:40:51.726Z

Link: CVE-2026-2874

cve-icon Vulnrichment

Updated: 2026-02-23T15:41:41.079Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T18:15:59.770

Modified: 2026-02-23T20:09:11.397

Link: CVE-2026-2874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses