Description
A vulnerability was found in Tenda F1202 1.2.0.20(408). Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet. Performing a manipulation of the argument delno results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
Published: 2026-05-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack‑based buffer overflow occurs in the formWrlExtraSet function located at /goform/WrlExtraSet in Tenda F1202 firmware 1.2.0.20(408). By sending a crafted delno argument, an attacker can overwrite the stack and potentially execute arbitrary code, enabling remote code execution on the device. The vulnerability leverages classic CWE‑119 and CWE‑121 weaknesses.

Affected Systems

The affected device is the Tenda F1202 router running firmware 1.2.0.20(408). No other firmware versions were identified as vulnerable, and the CNA listed only this specific version.

Risk and Exploitability

The CVSS base score of 8.7 classifies the issue as high severity. The EPSS score is not available, but the vulnerability is publicly disclosed and can be triggered remotely through the router's web interface. The absence of a KEV listing does not mitigate the risk; attackers can still exploit the flaw to gain full control of the device. Because remote code execution is possible, organizations should prioritize patching or mitigate via network controls.

Generated by OpenCVE AI on May 25, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to the latest Tenda firmware that contains the fix for the formWrlExtraSet buffer overflow.
  • If a firmware update is not yet available, block or restrict access to the /goform/WrlExtraSet endpoint, for example by configuring firewall or router access‑control lists, or by disabling the WrlExtraSet functionality if the device allows.
  • Restrict the router’s web management interface to trusted internal ranges or export it only through a VPN to reduce the attack surface.

Generated by OpenCVE AI on May 25, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f1202
Vendors & Products Tenda f1202

Mon, 25 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Tenda F1202 1.2.0.20(408). Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet. Performing a manipulation of the argument delno results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
Title Tenda F1202 WrlExtraSet formWrlExtraSet stack-based overflow
First Time appeared Tenda
Tenda f1202 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:f1202_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f1202 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F1202 F1202 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T05:15:09.759Z

Reserved: 2026-05-24T07:03:22.153Z

Link: CVE-2026-9429

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T07:30:19Z

Weaknesses