Description
A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack‑based buffer overflow occurs in the formSetPPTPServer function of the Tenda CX12L firmware. By sending a crafted request to the /goform/SetPptpServerCfg endpoint, an attacker can overwrite return addresses on the stack, enabling execution of arbitrary code. The vulnerability allows an adversary to compromise the router’s control plane, granting full control over the device and any networks connected through it.

Affected Systems

Tenda CX12L routers running firmware version 16.03.53.12 are affected. The flaw resides in the PPTP server configuration interface exposed to the WAN. No other vendors or products are listed by the CNA as impacted.

Risk and Exploitability

The CVSS score of 8.7 places the flaw in the High severity range. Although the EPSS score is not available, the exploit is publicly known and can be carried out remotely without authentication. The vulnerability is not listed in the CISA KEV catalog, but the lack of mitigation guidance and the remote nature of the attack result in a significant risk to affected deployments.

Generated by OpenCVE AI on May 8, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware release from Tenda that addresses the stack overflow in the PPTP server configuration function.
  • If an immediate firmware update is not possible, disable PPTP services on the router or block access to the /goform/SetPptpServerCfg endpoint from untrusted networks.
  • Monitor router logs for anomalous connection attempts or configuration changes and consider isolating the device from critical infrastructure until a patch is applied.

Generated by OpenCVE AI on May 8, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda cx12l
Vendors & Products Tenda cx12l

Fri, 08 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.
Title Tenda CX12L SetPptpServerCfg” formSetPPTPServer stack-based overflow
First Time appeared Tenda
Tenda cx12l Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:cx12l_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda cx12l Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Cx12l Cx12l Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T10:35:06.800Z

Reserved: 2026-05-07T17:58:06.120Z

Link: CVE-2026-8138

cve-icon Vulnrichment

Updated: 2026-05-08T10:35:03.305Z

cve-icon NVD

Status : Received

Published: 2026-05-08T05:16:11.833

Modified: 2026-05-08T05:16:11.833

Link: CVE-2026-8138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T06:45:02Z

Weaknesses