What is the CVSS score of CVE-2026-2139?

CVE-2026-2139 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Tx9 Firmware are affected by CVE-2026-2139?

A HIGH severity vulnerability (CVSS 8.8) affects Tenda TX9 WiFi routers up to version 22.03.02.10_multi, with public exploits already available.

Is there a public PoC exploit available for CVE-2026-2139?

Yes, a public proof-of-concept exploit is available for CVE-2026-2139. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-2139?

Within 24 hours: Identify all Tenda TX9 devices in your network and isolate affected units from critical systems; document inventory and affected firmware versions. Within 7 days: Disable the /goform/fast_setting_wifi_set function if technically feasible, implement network segmentation to limit router access, and establish monitoring for exploitation attempts. Within 30 days: Contact Tenda for patch availability and timeline; if no patch is forthcoming, evaluate replacement with a vendor offering active security support or consider discontinuation of affected devices.

Tx9 Firmware CVE-2026-2139

HIGH

Buffer Overflow (CWE-119)

2026-02-08 cna@vuldb.com

Buffer Overflow Tx9 Firmware

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 10, 2026 - 19:29 vuln.today

Public exploit code

CVE Published

Feb 08, 2026 - 07:15 nvd

HIGH 8.8

DescriptionCVE.org

A vulnerability was determined in Tenda TX9 up to 22.03.02.10_multi. Affected by this vulnerability is the function sub_432580 of the file /goform/fast_setting_wifi_set. This manipulation of the argument ssid causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Buffer overflow in Tenda TX9 firmware versions up to 22.03.02.10_multi allows authenticated remote attackers to achieve full system compromise through a malicious SSID parameter in the WiFi configuration interface. Public exploit code is available for this vulnerability, and no patch has been released. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Tenda TX9 device

Delivery

Send POST request to /goform/fast_setting_wifi_set

Exploit

Inject oversized string in ssid parameter

Execution

Overflow buffer in sub_432580

Impact

Execute arbitrary code

Access

Authenticate to Tenda TX9 device

Delivery

Send POST request to /goform/fast_setting_wifi_set

Exploit

Inject oversized string in ssid parameter

Execution

Overflow buffer in sub_432580

Impact

Execute arbitrary code

Vulnerability AssessmentAI

Exploitation	Tenda TX9 device running firmware version 22.03.02.10_multi or earlier; attacker must have valid login credentials to access the /goform/fast_setting_wifi_set endpoint; device must be network-accessible. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Tenda TX9 devices in your network and isolate affected units from critical systems; document inventory and affected firmware versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-2139 vulnerability details – vuln.today

Back

Tx9 Firmware CVE-2026-2139

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code