Description
A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote stack-based buffer overflow that can lead to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stack-based buffer overflow in the fromNatStaticSetting function of the /goform/NatStaticSetting endpoint. By manipulating the page argument, an attacker can trigger a memory corruption that can result in arbitrary code execution on the device. The description confirms that the attack can be launched remotely and that a public exploit is already available.

Affected Systems

Affected device is the Tenda F456 router running firmware version 1.0.0.5. No other versions are listed, so the risk applies to systems identified as Tenda F456 with that specific firmware release.

Risk and Exploitability

The CVSS score of 8.7 classifies this issue as high severity, indicating a significant threat to confidentiality, integrity, and availability. While the EPSS score is not available, the public nature of the exploit and the remote attack vector through the web interface increase the likelihood of real-world exploitation. The vulnerability is not listed in the CISA KEV catalog, but its severity and exposure warrant immediate attention.

Generated by OpenCVE AI on April 13, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update for the Tenda F456 router from the vendor’s website.
  • If a patch is not yet available, restrict access to the router’s management interface to trusted local machines only.
  • Disable or remove the NatStaticSetting functionality from the router’s configuration, if possible.
  • Monitor router logs for anomalous traffic targeting the /goform/NatStaticSetting endpoint to detect potential exploitation attempts.

Generated by OpenCVE AI on April 13, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f456
Vendors & Products Tenda
Tenda f456

Mon, 13 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Title Tenda F456 NatStaticSetting fromNatStaticSetting stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F456
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-14T16:29:06.183Z

Reserved: 2026-04-13T08:48:12.088Z

Link: CVE-2026-6198

cve-icon Vulnrichment

Updated: 2026-04-14T15:27:22.999Z

cve-icon NVD

Status : Received

Published: 2026-04-13T19:16:57.817

Modified: 2026-04-13T19:16:57.817

Link: CVE-2026-6198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:35Z

Weaknesses