Description
A flaw has been found in Tenda F456 1.0.0.5. The affected element is an unknown function of the file /goform/setcfm of the component httpd. This manipulation of the argument funcname/funcpara1 causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Published: 2026-04-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch immediately
AI Analysis

Impact

A buffer overflow flaw exists in the httpd component of the Tenda F456 router, triggered by manipulating the funcname/funcpara1 arguments in the /goform/setcfm endpoint. The vulnerable buffer overflow can be exploited to execute arbitrary code on the device, compromising confidentiality, integrity, and availability. The weakness matches the classic stack-based buffer overflow patterns identified by CWE-119 and CWE-120.

Affected Systems

The flaw affects the Tenda F456 router running firmware version 1.0.0.5. Only this specific firmware revision is known to contain the vulnerable implementation of the HTTP service.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score of < 1% shows a low probability of current exploitation, but an exploit has already been published and could be used opportunistically. The vulnerability is not listed in CISA KEV, yet it remains a viable remote attack vector that can be triggered over the network.

Generated by OpenCVE AI on April 28, 2026 at 05:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest‑available router firmware that removes the /goform/setcfm buffer overflow.
  • If a firmware update is unavailable, block external access to the /goform/setcfm endpoint using a firewall or access control list.
  • Consider disabling the httpd service or installing network segmentation so that the vulnerable router is isolated from untrusted hosts.

Generated by OpenCVE AI on April 28, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f456 Firmware
CPEs cpe:2.3:h:tenda:f456:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:f456_firmware:1.0.0.5:*:*:*:*:*:*:*
Vendors & Products Tenda f456 Firmware

Mon, 27 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f456
Vendors & Products Tenda
Tenda f456

Sun, 26 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Tenda F456 1.0.0.5. The affected element is an unknown function of the file /goform/setcfm of the component httpd. This manipulation of the argument funcname/funcpara1 causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Title Tenda F456 httpd setcfm buffer overflow
Weaknesses CWE-119
CWE-120
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F456 F456 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T20:12:29.589Z

Reserved: 2026-04-26T01:02:52.714Z

Link: CVE-2026-7057

cve-icon Vulnrichment

Updated: 2026-04-27T20:12:25.468Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-26T22:17:33.083

Modified: 2026-04-29T22:18:00.970

Link: CVE-2026-7057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:15:22Z

Weaknesses