Description
A flaw has been found in Tenda A18 Pro 02.03.02.28. This issue affects the function setSchedWifi of the file /goform/openSchedWifi. This manipulation causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack-based buffer overflow has been discovered in the setSchedWifi function exposed through the /goform/openSchedWifi endpoint on Tenda A18 Pro routers. The flaw enables an attacker to send a crafted request that overflows a stack buffer, which can lead to arbitrary code execution. The weakness is classified as a buffer overflow (CWE‑119) and a stack-based buffer overwrite (CWE‑121).

Affected Systems

The vulnerability affects Tenda A18 Pro routers running firmware version 02.03.02.28. No other products or firmware versions are listed in the available data.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the EPSS score is not available. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, yet an exploit has already been published and can be used remotely. An attacker who can reach the router’s administrative interface over the network—either within a local network or from the internet if the interface is exposed—can trigger the overflow by sending a specially crafted request to /goform/openSchedWifi. Successful exploitation could grant the attacker full control over the device.

Generated by OpenCVE AI on March 20, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Tenda that patches the stack-based overflow in setSchedWifi.
  • If no update is available, disable the openSchedWifi feature through the router’s web interface or configuration settings to block the vulnerable endpoint.
  • Restrict access to the router’s administrative interface to trusted local IP addresses or secure it behind a VPN, preventing exposure to untrusted networks.
  • Monitor web traffic for suspicious requests to /goform/openSchedWifi, and isolate the router from critical network segments to reduce potential impact.

Generated by OpenCVE AI on March 20, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda a18 Pro
Vendors & Products Tenda
Tenda a18 Pro

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Tenda A18 Pro 02.03.02.28. This issue affects the function setSchedWifi of the file /goform/openSchedWifi. This manipulation causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Title Tenda A18 Pro openSchedWifi setSchedWifi stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda A18 Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-20T21:29:13.459Z

Reserved: 2026-03-20T08:32:39.827Z

Link: CVE-2026-4490

cve-icon Vulnrichment

Updated: 2026-03-20T21:29:09.793Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T17:17:00.030

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-4490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:01Z

Weaknesses