Description
A vulnerability has been found in Tenda F1202 1.2.0.20(408). Affected is the function fromPPTPUserSetting of the file /goform/PPTPUserSetting. Such manipulation of the argument delno leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Published: 2026-05-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack-based buffer overflow in the fromPPTPUserSetting function of the Tenda F1202 firmware. It is triggered by manipulating the delno argument, allowing an attacker to corrupt the stack and achieve arbitrary code execution. This flaw can be exploited from remote endpoints and has been publicly disclosed.

Affected Systems

Affected product is the Tenda F1202 router running firmware version 1.2.0.20(408).

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high severity vulnerability, indicating significant impact if exploited. The EPSS score is not available, yet the public availability of an exploit suggests a non‑negligible risk. The vulnerability is not listed in the CISA KEV database. Attackers can trigger the overflow remotely by sending a crafted request to the /goform/PPTPUserSetting endpoint, and success would likely enable arbitrary code execution or compromise the router’s firmware.

Generated by OpenCVE AI on May 25, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Tenda that fixes the stack‑based buffer overflow in the PPTPUserSetting handler.
  • Disable PPTP functionality on the router if it is not required, or block access to the /goform/PPTPUserSetting page from external networks.
  • Restrict remote management of the device to trusted IP ranges, or enforce secure management protocols such as SSH or TLS and disable HTTP/HTTPS remote administration.
  • Implement runtime input validation for the delno parameter to ensure it does not exceed the expected length before being processed by the firmware.

Generated by OpenCVE AI on May 25, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f1202
Vendors & Products Tenda f1202

Mon, 25 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Tenda F1202 1.2.0.20(408). Affected is the function fromPPTPUserSetting of the file /goform/PPTPUserSetting. Such manipulation of the argument delno leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Title Tenda F1202 PPTPUserSetting fromPPTPUserSetting stack-based overflow
First Time appeared Tenda
Tenda f1202 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:f1202_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f1202 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F1202 F1202 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T05:00:14.895Z

Reserved: 2026-05-24T07:03:19.502Z

Link: CVE-2026-9428

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T08:00:12Z

Weaknesses