Vulnerabilities ›

CVE-2026-9431

High

CWE-119 — Weakness Type

                    Published: May 25, 2026                      ·  Modified: Jun 1, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

A vulnerability was identified in Tenda F1202 1.2.0.20(408). This affects the function fromPptpUserAdd of the file /goform/PptpUserAdd. The manipulation of the argument opttype leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used.

🤖 AI Executive Summary

A critical stack-based buffer overflow vulnerability exists in Tenda F1202 router firmware (version 1.2.0.20(408)) affecting the PPTP user management function. The vulnerability allows remote attackers to execute arbitrary code by manipulating the 'opttype' parameter, potentially compromising network infrastructure. With a CVSS score of 8.8 and no patch currently available, this poses an immediate threat to organizations relying on Tenda routers for network access.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 28, 2026 19:04

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi telecommunications infrastructure (STC, Mobily, Zain) and government agencies (NCA, CITC) that may use Tenda routers for VPN access and network management. Banking sector (SAMA-regulated institutions) could face compromised network perimeters if Tenda devices are deployed in branch offices or remote access scenarios. Energy sector (ARAMCO, SEC) and healthcare organizations using these routers for PPTP connectivity face potential lateral movement risks. Small and medium enterprises across all sectors represent the largest exposure due to cost-effective Tenda router adoption.

🏢 Affected Saudi Sectors

Telecommunications (STC, Mobily, Zain) Government (NCA, CITC, Ministry of Interior) Banking and Financial Services (SAMA-regulated institutions) Energy (ARAMCO, SEC) Healthcare Small and Medium Enterprises (SMEs) Education Retail

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application (remote exploitation of router management interface) T1068 - Exploitation for Privilege Escalation (buffer overflow leading to code execution) T1021 - Remote Services (PPTP VPN access compromise) T1059 - Command and Scripting Interpreter (arbitrary code execution post-exploitation) T1570 - Lateral Tool Transfer (potential lateral movement from compromised router) T1040 - Traffic Capture or Redirection (network traffic interception from router position)

⚖️ Saudi Risk Score (AI)

8.5

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Tenda F1202 devices running firmware version 1.2.0.20(408) in your network using network scanning tools

2. Disable PPTP service immediately if not critical to operations

3. Restrict network access to PPTP management interface (/goform/PptpUserAdd) using firewall rules to trusted IPs only

4. Implement network segmentation to isolate affected routers from critical systems



PATCHING GUIDANCE:

5. Contact Tenda support for firmware updates; check vendor website regularly for patches

6. If patch becomes available, test in isolated environment before production deployment

7. Maintain inventory of all Tenda devices and firmware versions for tracking



COMPENSATING CONTROLS:

8. Deploy Web Application Firewall (WAF) rules to detect/block suspicious opttype parameter values

9. Monitor router logs for unusual PPTP user addition attempts

10. Implement IDS/IPS signatures detecting stack overflow patterns in HTTP requests to /goform/PptpUserAdd

11. Use VPN alternatives (IPSec, L2TP) instead of PPTP where possible

12. Enable router authentication and disable default credentials



DETECTION RULES:

13. Alert on HTTP POST requests to /goform/PptpUserAdd with opttype parameter containing unusual character sequences or excessive length

14. Monitor for unexpected process execution or privilege escalation on router management interfaces

15. Track failed and successful PPTP authentication attempts for anomalies

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أجهزة Tenda F1202 التي تعمل بإصدار البرنامج الثابت 1.2.0.20(408) في شبكتك باستخدام أدوات المسح

2. تعطيل خدمة PPTP فوراً إذا لم تكن حرجة للعمليات

3. تقييد الوصول إلى واجهة إدارة PPTP (/goform/PptpUserAdd) باستخدام قواعد جدار الحماية للعناوين الموثوقة فقط

4. تنفيذ تقسيم الشبكة لعزل الأجهزة المتأثرة عن الأنظمة الحرجة

إرشادات التصحيح:

5. التواصل مع دعم Tenda للحصول على تحديثات البرنامج الثابت؛ تحقق من موقع المورد بانتظام

6. اختبار التصحيح في بيئة معزولة قبل النشر في الإنتاج

7. الحفاظ على جرد لجميع أجهزة Tenda وإصدارات البرنامج الثابت

الضوابط البديلة:

8. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن قيم معاملات opttype المريبة

9. مراقبة سجلات الجهاز للكشف عن محاولات إضافة مستخدمي PPTP غير العادية

10. تنفيذ توقيعات IDS/IPS للكشف عن أنماط تجاوز المكدس في طلبات HTTP

11. استخدام بدائل VPN (IPSec، L2TP) بدلاً من PPTP حيث أمكن

12. تفعيل المصادقة على الجهاز وتعطيل بيانات الاعتماد الافتراضية

قواعد الكشف:

13. تنبيهات على طلبات HTTP POST إلى /goform/PptpUserAdd بمعاملات opttype تحتوي على تسلسلات أحرف غير عادية

14. مراقبة تنفيذ العمليات غير المتوقعة على واجهات إدارة الجهاز

15. تتبع محاولات المصادقة الفاشلة والناجحة لـ PPTP للكشف عن الشذوذ

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.8.1 - Asset Management (inventory and tracking of network devices) ECC 2024 A.13.1 - Network Security (network access control and segmentation) ECC 2024 A.14.2 - System Development and Maintenance (patch management) ECC 2024 A.12.6 - Technical Vulnerability Management (vulnerability assessment and remediation)

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Asset Management (hardware and software inventory) SAMA CSF PR.AC-3 - Access Control (network access restrictions) SAMA CSF PR.MA-2 - Maintenance (patch and update management) SAMA CSF DE.CM-8 - Monitoring Activities (detection and analysis of anomalies)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.19 - Inventory of information and other assets ISO 27001:2022 A.8.1 - Screening (asset management and tracking) ISO 27001:2022 A.8.2 - User access management (network access control) ISO 27001:2022 A.8.6 - Access control to networks and network services ISO 27001:2022 A.14.2 - Security updates and patches

🟣 PCI DSS v4.0.1

PCI DSS 1.1 - Firewall configuration standards (network segmentation) PCI DSS 2.1 - Change default vendor-supplied passwords PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning and assessment

🔗 References & Sources 5

🔗

https://github.com/Litengzheng/vuldb_new2/blob/main/F1202/vul_35/README.md

cna@vuldb.com

🔗

https://vuldb.com/submit/813916

cna@vuldb.com

🔗

https://vuldb.com/vuln/365412

cna@vuldb.com

🔗

https://vuldb.com/vuln/365412/cti

cna@vuldb.com

🔗

https://www.tenda.com.cn/

cna@vuldb.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-119

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-05-25

Source Feed nvd

🇸🇦 Saudi Risk Score

8.5

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-119

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-9431

Introduce Yourself

Sign In Required