Description
A vulnerability has been found in Tenda A18 Pro 02.03.02.28. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack‑based buffer overflow exists in the SetIpMacBind function of the Tenda A18 Pro firmware. By sending a crafted argument list to the /goform/SetIpMacBind web form, an attacker can overflow the input buffer, corrupt the stack, and potentially execute arbitrary code with the device’s privileges. The vulnerability is rooted in CWE‑119 (Buffer Overflow) and CWE‑121 (Stack‑Based Buffer Overflow).

Affected Systems

The affected product is the Tenda A18 Pro running firmware version 02.03.02.28. No other vendors, products, or versions are listed as impacted.

Risk and Exploitability

The vulnerability scores a high 8.7 on the CVSS scale and is exploitable remotely through the web interface. A public exploit has been disclosed, and the absence of a known patch increases the likelihood of exploitation when the device is exposed to a network. The risk is elevated for networks that allow inbound traffic to the device’s management interface.

Generated by OpenCVE AI on March 20, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Tenda that addresses the buffer overflow if one is available
  • If no firmware update exists, block remote access to the /goform/SetIpMacBind endpoint using firewall rules or disable the feature in the device’s configuration
  • Implement network segmentation or VPN to restrict management traffic to trusted internal hosts
  • Monitor device logs for anomalous activity referencing SetIpMacBind and enforce regular patching procedures

Generated by OpenCVE AI on March 20, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda a18 Pro
Vendors & Products Tenda
Tenda a18 Pro

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Tenda A18 Pro 02.03.02.28. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Title Tenda A18 Pro SetIpMacBind fromSetIpMacBind stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda A18 Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-20T17:01:24.970Z

Reserved: 2026-03-20T08:32:43.616Z

Link: CVE-2026-4491

cve-icon Vulnrichment

Updated: 2026-03-20T17:01:21.919Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T17:17:00.240

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-4491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:00Z

Weaknesses