Description
A vulnerability was identified in Tenda AC10 16.03.10.10_multi_TDE01. This affects the function fromSysToolChangePwd of the file /bin/httpd. The manipulation leads to stack-based buffer overflow. The attack may be initiated remotely. Multiple endpoints might be affected.
Published: 2026-04-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stack‑based buffer overflow in the fromSysToolChangePwd function of the Tenda AC10 httpd binary, which can be triggered by a crafted request. The flaw is linked to CWE‑119 and CWE‑121, allowing an attacker to potentially execute arbitrary code or crash the service. The result is a compromise of confidentiality, integrity, and availability of the device.

Affected Systems

Affected are Tenda AC10 routers running firmware version 16.03.10.10_multi_TDE01. The issue resides in the /bin/httpd binary exposed through the web management interface, and multiple points of entry may be impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the flaw can be exploited remotely without local access. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, so the risk remains high until a patch is applied. An attacker would need to send a crafted request to the httpd service to trigger the overflow.

Generated by OpenCVE AI on April 5, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify whether your AC10 device runs firmware 16.03.10.10_multi_TDE01 or an earlier version.
  • Download and install the latest firmware from Tenda’s official website, ensuring it contains the fix for the overflow.
  • If no corrected firmware is available, block external access to the device’s management interface using firewall rules or a VPN.
  • Monitor the device’s logs for abnormal activity and adjust access controls as needed.

Generated by OpenCVE AI on April 5, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda ac10
Vendors & Products Tenda ac10

Sun, 05 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Tenda AC10 16.03.10.10_multi_TDE01. This affects the function fromSysToolChangePwd of the file /bin/httpd. The manipulation leads to stack-based buffer overflow. The attack may be initiated remotely. Multiple endpoints might be affected.
Title Tenda AC10 httpd fromSysToolChangePwd stack-based overflow
First Time appeared Tenda
Tenda ac10 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:ac10_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda ac10 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Tenda Ac10 Ac10 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T02:43:36.590Z

Reserved: 2026-04-04T13:28:12.754Z

Link: CVE-2026-5550

cve-icon Vulnrichment

Updated: 2026-04-07T02:43:32.621Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-05T08:16:25.100

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:04Z

Weaknesses