EUVD-2026-16724
GHSA-qhww-r997-h23m
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
Remote attackers with low-level authentication can execute arbitrary code on Tenda AC6 routers running firmware version 15.03.05.16 by exploiting a stack-based buffer overflow in the formQuickIndex function via crafted PPPOEPassword parameters in POST requests to /goform/QuickIndex. Publicly available exploit code exists, demonstrating practical exploitation of this critical vulnerability with CVSS 8.8 (High severity, network-accessible, low complexity). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit network inventory to identify all Tenda AC6 routers running firmware version 15.03.05.16 and document their locations and network roles. Within 7 days: Implement network segmentation to isolate affected routers from critical systems and restrict administrative access to trusted networks only; consider disabling remote management features if business operations permit. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today