Description
A vulnerability has been found in Tenda AC9 15.03.02.13. Impacted is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. Such manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack-based buffer overflow exists in the Tenda AC9 firmware within the POST request handler for the QuickIndex form. By sending a crafted PPPOEPassword field to the /goform/QuickIndex endpoint, an attacker can corrupt the stack on the device’s processor, a flaw classified as CWE‑119 and CWE‑121. The vulnerability is publicly disclosed and allows remote exploitation, potentially leading to arbitrary code execution on the router.

Affected Systems

Devices running the Tenda AC9 firmware version 15.03.02.13 are affected. The flaw resides in the AC9 product line and manifests when the QuickIndex form is accessed via HTTP POST.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, but the public disclosure and remote attack vector via the QuickIndex endpoint suggest that attackers could target the device from a network that can reach its management interface.

Generated by OpenCVE AI on April 10, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Tenda for the AC9 device.
  • If a firmware update is not yet available, block or restrict access to the /goform/QuickIndex endpoint from untrusted networks using firewall rules.
  • Disable the QuickIndex feature or the ability to modify PPPOEPassword settings until a patch is applied.
  • Verify the installed firmware version after updating and ensure no unpatched instances remain in the network.

Generated by OpenCVE AI on April 10, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda ac9
Vendors & Products Tenda ac9

Fri, 10 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Tenda AC9 15.03.02.13. Impacted is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. Such manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Title Tenda AC9 POST Request QuickIndex formQuickIndex stack-based overflow
First Time appeared Tenda
Tenda ac9 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:ac9_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda ac9 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Ac9 Ac9 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T04:45:15.605Z

Reserved: 2026-04-09T14:36:50.168Z

Link: CVE-2026-6015

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-10T06:16:06.510

Modified: 2026-04-10T06:16:06.510

Link: CVE-2026-6015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:26:45Z

Weaknesses