Vulnerabilities ›

CVE-2026-6120

High

CWE-119 — Weakness Type

                    Published: Apr 12, 2026                      ·  Modified: Apr 19, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

A vulnerability was detected in Tenda F451 1.0.0.7. Affected is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used.

🤖 AI Executive Summary

A critical stack-based buffer overflow vulnerability exists in Tenda F451 router firmware (version 1.0.0.7) affecting the DHCP client list function. The vulnerability allows remote attackers to execute arbitrary code by manipulating the 'page' parameter without authentication. With CVSS 8.8 and public exploit availability, this poses immediate risk to organizations using Tenda routers for network infrastructure.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 02:50

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Tenda F451 routers face critical risk, particularly: (1) Government agencies and NCA infrastructure relying on these routers for network perimeter defense; (2) Banking sector (SAMA-regulated) using Tenda devices in branch networks or remote access infrastructure; (3) Telecom operators (STC, Mobily, Zain) potentially deploying these routers in customer premises equipment (CPE); (4) Healthcare facilities using Tenda routers for medical device network segmentation; (5) Energy sector (ARAMCO, utilities) with industrial control network access points. Remote code execution enables lateral movement, data exfiltration, and network compromise without authentication.

🏢 Affected Saudi Sectors

Government and Public Administration (NCA, NCSC) Banking and Financial Services (SAMA-regulated institutions) Telecommunications (STC, Mobily, Zain) Healthcare and Medical Services Energy and Utilities (ARAMCO, regional utilities) Education (universities, research institutions) Critical Infrastructure (water, transportation)

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application (remote exploitation of httpd) T1068 - Exploitation for Privilege Escalation (buffer overflow for code execution) T1021.001 - Remote Services: RDP (lateral movement post-compromise) T1059.001 - Command and Scripting Interpreter: PowerShell (post-exploitation) T1005 - Data from Local System (data exfiltration from compromised router) T1557.002 - Adversary-in-the-Middle: ARP Cache Poisoning (network interception) T1040 - Traffic Capture (packet sniffing from router position)

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Tenda F451 devices in your network using network scanning tools (nmap, Shodan queries for Saudi IP ranges)

2. Isolate affected devices from critical network segments immediately

3. Disable remote management access to Tenda devices (disable WAN access to HTTP/HTTPS ports)

4. Implement network segmentation: place Tenda routers in DMZ with strict firewall rules

5. Monitor for exploitation attempts using IDS/IPS signatures detecting buffer overflow patterns in /goform/DhcpListClient requests

PATCHING GUIDANCE:

- No official patch available from Tenda; contact vendor for firmware updates

- Consider replacing Tenda F451 with alternative vendors (Cisco, Fortinet, Juniper) that have active security support

- If replacement not feasible, apply compensating controls immediately

COMPENSATING CONTROLS:

1. Deploy WAF/IPS rules blocking requests to /goform/DhcpListClient endpoint

2. Implement strict input validation at network edge (block oversized 'page' parameters)

3. Restrict HTTP/HTTPS access to Tenda management interface to authorized IPs only

4. Enable detailed logging of all HTTP requests to Tenda devices

5. Implement network-based rate limiting on Tenda device access

DETECTION RULES:

- Alert on POST/GET requests to /goform/DhcpListClient with 'page' parameter > 256 bytes

- Monitor for unusual process execution on Tenda devices (SSH/telnet access attempts)

- Track failed authentication attempts followed by HTTP requests to vulnerable endpoint

- Detect abnormal outbound connections from Tenda device IP addresses

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أجهزة Tenda F451 في شبكتك باستخدام أدوات المسح (nmap، استعلامات Shodan للنطاقات السعودية)

2. عزل الأجهزة المتأثرة عن قطاعات الشبكة الحرجة فوراً

3. تعطيل الوصول الإداري البعيد (تعطيل وصول WAN إلى منافذ HTTP/HTTPS)

4. تطبيق تقسيم الشبكة: ضع أجهزة Tenda في DMZ مع قواعد جدار حماية صارمة

5. مراقبة محاولات الاستغلال باستخدام توقيعات IDS/IPS التي تكتشف أنماط تجاوز المخزن المؤقت

إرشادات التصحيح:

- لا يوجد تصحيح رسمي من Tenda؛ اتصل بالبائع للحصول على تحديثات البرامج الثابتة

- فكر في استبدال Tenda F451 ببائعين بدائل (Cisco, Fortinet, Juniper) لديهم دعم أمان نشط

- إذا لم يكن الاستبدال ممكناً، طبق الضوابط البديلة فوراً

الضوابط البديلة:

1. نشر قواعد WAF/IPS تحجب الطلبات إلى نقطة نهاية /goform/DhcpListClient

2. تطبيق التحقق الصارم من المدخلات على حافة الشبكة

3. تقييد وصول HTTP/HTTPS إلى واجهة إدارة Tenda للعناوين المصرح بها فقط

4. تفعيل تسجيل مفصل لجميع طلبات HTTP إلى أجهزة Tenda

5. تطبيق تحديد معدل قائم على الشبكة لوصول جهاز Tenda

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Network perimeter security and router security controls ECC 2024 A.5.1.2 - Access control to network devices ECC 2024 A.5.1.3 - Monitoring and logging of network device access ECC 2024 A.6.2.1 - Vulnerability management and patch management ECC 2024 A.6.2.2 - Security testing and vulnerability assessment

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Hardware and software inventory of network infrastructure SAMA CSF PR.AC-1 - Access control policies for network devices SAMA CSF PR.PT-1 - Protective technology deployment (IDS/IPS) SAMA CSF DE.CM-1 - Network monitoring and anomaly detection SAMA CSF RS.MI-2 - Incident response and containment procedures

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access control to information systems ISO 27001:2022 A.5.16 - Identification and authentication ISO 27001:2022 A.5.23 - Information security for supplier relationships ISO 27001:2022 A.8.1 - Cryptography and secure communications ISO 27001:2022 A.8.2 - Physical and environmental security

🟣 PCI DSS v4.0.1

PCI DSS 1.1 - Firewall configuration standards PCI DSS 1.2 - Router configuration and security PCI DSS 2.1 - Default security parameters on network devices PCI DSS 6.2 - Security patches and updates PCI DSS 10.2 - Logging and monitoring of network access

🔗 References & Sources 5

🔗

https://github.com/Jimi-Lab/cve/issues/11

cna@vuldb.com

🔗

https://vuldb.com/submit/792864

cna@vuldb.com

🔗

https://vuldb.com/vuln/356983

cna@vuldb.com

🔗

https://vuldb.com/vuln/356983/cti

cna@vuldb.com

🔗

https://www.tenda.com.cn/

cna@vuldb.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-119

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-04-12

Source Feed nvd

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-119

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-6120

💬 Comments

Introduce Yourself

Sign In Required