Description
A security vulnerability has been detected in Tenda F456 1.0.0.5. This affects the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-05-24
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic buffer overflow located in the frmL7ImForm function of the /goform/L7Im page on Tenda F456 firmware 1.0.0.5. An attacker can supply an overly long or malformed page argument, causing memory corruption and potentially allowing arbitrary code execution. The weakness is classified as CWE-119 and CWE-120, indicating a lack of bounds checking on input data. Such a flaw can compromise confidentiality, integrity, and availability of the device and the network it governs.

Affected Systems

Tenda F456 routers running firmware version 1.0.0.5 are affected. No other Tenda models or firmware revisions are implicated in the current advisory.

Risk and Exploitability

The CVSS score of 8.7 reflects a high severity and the publicly disclosed exploit implies a realistic risk of remote exploitation. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring network connectivity to the router’s web interface. Once accessed, an attacker could trigger the overflow and potentially install malware, gain full control of the device, or disrupt network services.

Generated by OpenCVE AI on May 24, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tenda F456 firmware to a version that addresses the L7Im buffer overflow.
  • Restrict remote management of the router by limiting which IP addresses can access the web interface, or disable remote access entirely.
  • Apply firewall rules to block unauthenticated traffic to the /goform/L7Im endpoint from external networks.
  • Monitor router logs and network traffic for signs of exploitation attempts.
  • Check Tenda's website or vendor channels for firmware updates or patches.

Generated by OpenCVE AI on May 24, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f456
Vendors & Products Tenda f456

Sun, 24 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Tenda F456 1.0.0.5. This affects the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
Title Tenda F456 L7Im frmL7ImForm buffer overflow
First Time appeared Tenda
Tenda f456 Firmware
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:o:tenda:f456_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f456 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F456 F456 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T14:45:09.119Z

Reserved: 2026-05-23T15:04:09.855Z

Link: CVE-2026-9389

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T18:15:04Z

Weaknesses