Skip to main content

Tenda F451 EUVD-2026-35180

| CVE-2026-11557 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-08 VulDB
Tenda Stack Overflow Buffer Overflow
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 08, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 08, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 08, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jun 08, 2026 - 19:22 NVD
8.8 (HIGH) 7.4 (HIGH)
Analysis Generated
Jun 08, 2026 - 19:21 vuln.today

DescriptionCVE.org

A weakness has been identified in Tenda F451 1.0.0.7/1.0.0.9. The affected element is the function fromNatlimit of the file /goform/Natlimit of the component Web Management Interface. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Stack-based buffer overflow in the Tenda F451 router (firmware 1.0.0.7 and 1.0.0.9) Web Management Interface allows remote authenticated attackers to corrupt memory by sending a crafted 'page' argument to the fromNatlimit handler at /goform/Natlimit. Publicly available exploit code exists, raising practical risk for exposed or LAN-reachable devices, though no public exploit identified as actively used in CISA KEV at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach Web Management Interface
Delivery
Authenticate with low-privileged credentials
Exploit
Send crafted POST to /goform/Natlimit
Install
Overflow stack buffer via 'page' argument
C2
Overwrite saved return address
Execute
Hijack control flow on router
Impact
Compromise device and pivot into LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must have network reachability to the device's Web Management Interface (HTTP admin daemon) and valid low-privileged credentials to authenticate before invoking /goform/Natlimit (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 7.4 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) reflects network reachability, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability, but requires low privileges (PR:L) - meaning a valid admin/management credential is needed, which sharply limits internet-scale exploitation against properly configured devices. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or guessed a low-privileged administrator credential (or reached an exposed management interface with default credentials) sends a crafted HTTP request to /goform/Natlimit with an oversized 'page' parameter. The fromNatlimit function copies the value onto the stack without bounds checking, overwriting the saved return address; the publicly posted PoC at the Robots10/IoT_vlu repository demonstrates the crash and parameter shape, providing a direct foothold for further weaponization on these embedded targets.
Remediation No vendor-released patch identified at time of analysis; monitor https://www.tenda.com.cn/ and the VulDB entry at https://vuldb.com/cve/CVE-2026-11557 for a firmware update covering versions beyond 1.0.0.9. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Tenda F451 devices and identify firmware versions; implement firewall rules restricting management interface access to authorized administrator subnets only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-38065 CRITICAL
9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the

CVE-2026-38060 CRITICAL
9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin p
CVE-2026-38061 CRITICAL
9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volum
CVE-2026-38062 CRITICAL
9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the rat
CVE-2026-38063 CRITICAL
9.8 Jun 15

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via

Share

EUVD-2026-35180 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy