Skip to main content

Tenda W3 CVE-2026-3972

HIGH
Buffer Overflow (CWE-119)
2026-03-12 cna@vuldb.com
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Apr 29, 2026 - 01:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 29, 2026 - 01:11 vuln.today
cvss_changed
CVSS changed
Apr 29, 2026 - 01:11 NVD
8.7 (HIGH) 7.4 (HIGH)
Analysis Generated
Mar 12, 2026 - 19:57 vuln.today
CVE Published
Mar 12, 2026 - 02:15 nvd
HIGH 8.7

DescriptionCVE.org

A vulnerability was found in Tenda W3 1.0.0.3(2204). Affected by this issue is the function formSetCfm of the file /goform/setcfm of the component HTTP Handler. The manipulation of the argument funcpara1 results in stack-based buffer overflow. The attack can only be performed from the local network. The exploit has been made public and could be used.

AnalysisAI

Stack-based buffer overflow in Tenda W3 firmware 1.0.0.3(2204) HTTP handler allows adjacent network attackers to achieve remote code execution without authentication. The vulnerability resides in the formSetCfm function's handling of the funcpara1 parameter at /goform/setcfm. Public exploit code is available on GitHub, though EPSS probability remains low at 0.03% (7th percentile), indicating limited real-world exploitation activity. CISA KEV does not list this vulnerability, suggesting no confirmed widespread or targeted exploitation campaigns.

Technical ContextAI

This is a classic stack-based buffer overflow (CWE-119) in embedded device firmware. The Tenda W3 is a wireless router, and the vulnerability affects its web management interface HTTP handler. When processing requests to the /goform/setcfm endpoint, the formSetCfm function fails to properly validate the length of the funcpara1 parameter before copying it to a fixed-size stack buffer. This allows an attacker to write beyond the allocated buffer boundary, corrupting adjacent stack memory including the return address. By carefully crafting the overflow payload, an attacker can hijack control flow and execute arbitrary code in the context of the web server process, typically with root/administrative privileges on embedded Linux-based router firmware. The CPE string identifies the exact affected firmware version as 1.0.0.3(2204) for Tenda W3 devices.

RemediationAI

No vendor-released patch identified at time of analysis. Tenda has not published a security advisory or updated firmware version addressing this vulnerability per available data. Compensating controls should be implemented immediately: First, disable HTTP/HTTPS management interface access from WiFi networks and restrict administrative access to wired Ethernet connections only via router configuration settings (trade-off: cannot manage device wirelessly). Second, ensure the web management interface is bound only to the LAN interface and not accessible from the WAN side (verify in Network Settings > Remote Management is disabled). Third, change default administrative credentials and implement strong passwords to prevent exploitation chains that might combine this with authentication bypass vulnerabilities. Fourth, place Tenda W3 devices behind a firewall that restricts Layer 2 adjacency to trusted network segments only. Fifth, monitor for abnormal POST requests to /goform/setcfm endpoints in web server logs. Consider replacing affected devices with alternative router models if Tenda does not release a patched firmware version. Advisory reference: https://vuldb.com/?id.350407

More in Tenda

View all
CVE-2022-30023 HIGH POC
8.8 Jun 16

Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev

CVE-2015-5995 CRITICAL POC
9.8 Dec 31

Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke

CVE-2014-5246 CRITICAL POC
10.0 Aug 22

The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication

CVE-2025-45042 CRITICAL POC
9.8 May 05

Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic

CVE-2025-29384 CRITICAL POC
9.8 Mar 14

In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability

CVE-2025-44877 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via

CVE-2025-44872 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via

CVE-2022-32386 CRITICAL POC
9.8 Jul 06

Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV

CVE-2025-25632 CRITICAL POC
9.8 Mar 05

Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se

CVE-2023-51972 CRITICAL POC
9.8 Jan 10

Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate

CVE-2023-51812 CRITICAL POC
9.8 Jan 04

Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /

CVE-2025-45429 CRITICAL POC
9.8 Apr 23

In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp

Share

CVE-2026-3972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy