Description
A vulnerability has been found in Tenda AC15 15.03.05.19. This affects the function formSetCfm of the file /goform/setcfm of the component POST Request Handler. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate patch
AI Analysis

Impact

Tenda AC15 firmware version 15.03.05.19 contains a stack-based buffer overflow in the POST request handler for the /goform/setcfm endpoint. Manipulating the funcpara1 parameter causes an out‑of‑bounds write on the stack, which can lead to arbitrary code execution or a denial of service. The vulnerability is a classic buffer overflow (CWE-119) and stack based overwrite (CWE-121). The exploit is publicly disclosed and can be executed remotely.

Affected Systems

The affected product is the Tenda AC15 router running firmware 15.03.05.19. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity risk. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring an attacker to send a crafted POST request to the /goform/setcfm endpoint, which can be performed over the open network interface of the router.

Generated by OpenCVE AI on March 27, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Tenda website or support portal for a firmware update that addresses the buffer overflow; apply the latest firmware immediately.
  • If no official update is available, block or restrict access to the /goform/setcfm endpoint on the router using firewall rules or by configuring local network segmentation to limit exposure to trusted devices.
  • Monitor inbound POST traffic to the router for suspicious activity and log attempts targeting /goform/setcfm so that potential exploitation attempts can be detected and investigated.

Generated by OpenCVE AI on March 27, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda ac15
Vendors & Products Tenda ac15

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Tenda AC15 15.03.05.19. This affects the function formSetCfm of the file /goform/setcfm of the component POST Request Handler. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Title Tenda AC15 POST Request setcfm formSetCfm memory corruption
First Time appeared Tenda
Tenda ac15 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:ac15_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda ac15 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Ac15 Ac15 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T18:58:54.834Z

Reserved: 2026-03-27T08:58:22.978Z

Link: CVE-2026-4975

cve-icon Vulnrichment

Updated: 2026-03-30T18:58:51.694Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T20:16:38.707

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-4975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:00:34Z

Weaknesses