Description
A flaw has been found in Tenda F456 1.0.0.5. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset. Executing a manipulation of the argument mit_ssid can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The flaw is a stack‑based buffer overflow in the formWrlsafeset function of the /goform/AdvSetWrlsafeset endpoint on Tenda F456 routers. An attacker can manipulate the mit_ssid parameter to overflow the stack, enabling execution of arbitrary code from a remote location. This weakness involves both buffer overrun and stack corruption, allowing a crafted request to hijack control flow.

Affected Systems

The vulnerability exists in Tenda F456 routers running firmware version 1.0.0.5. No other vendors or product versions are listed as affected.

Risk and Exploitability

An exploit for this flaw has been published and can be triggered remotely, indicating that attackers can directly target affected devices. The CVSS score of 8.7 signals a high severity level. While explicit modern exploitation probability data is unavailable, the existence of a public exploit demonstrates likely abuse. The flaw is not recorded in the Common Exploited Vulnerabilities catalog, but the remote code execution potential remains a critical risk.

Generated by OpenCVE AI on April 13, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Tenda F456 firmware to the latest version that contains the security fix.
  • If a patch is not yet available, block remote access to the router’s web‑management interface by restricting inbound traffic to its management ports or placing the router behind a firewall.
  • Monitor router logs for repeated attempts to access /goform/AdvSetWrlsafeset and investigate any suspicious activity.

Generated by OpenCVE AI on April 13, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f456
Vendors & Products Tenda
Tenda f456

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Tenda F456 1.0.0.5. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset. Executing a manipulation of the argument mit_ssid can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.
Title Tenda F456 AdvSetWrlsafeset formWrlsafeset stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F456
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T20:50:51.484Z

Reserved: 2026-04-13T08:48:08.480Z

Link: CVE-2026-6197

cve-icon Vulnrichment

Updated: 2026-04-13T20:50:41.860Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T19:16:57.610

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-6197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:44Z

Weaknesses