Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the funcname, funcpara1, and funcpara2 parameters.
The vulnerability results from improper validation of input data length (CWE-787 – out-of-bounds write, CWE-120 – classic buffer overflow) in the funcname, funcpara1, and funcpara2 parameters of the formSetCfm function. An attacker can supply specially crafted values of these parameters, causing a buffer overflow in the device's memory. The network vector (AV:N), no privilege requirements (PR:N), and no user interaction required (UI:N) mean that the exploit can be performed remotely, without any authorization.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code remotely (RCE) on the device, which in practice means full takeover of the router, ability to intercept network traffic, and use of the device as an entry point to the local network.
Apply patches available from the manufacturer according to the references. Until the fix is implemented, it is recommended to restrict access to the device's administrative interface only to trusted IP addresses and disable remote management over WAN.
Tenda AC6 with firmware version 15.03.05.16_multi
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTenda Ac6
HWTenda1.0Tenda Ac6 Firmware
OSTenda15.03.05.16_multi
Related vulnerabilities
Auth Bypass + RCE w Tenda AC6 via HTTP (CVE-2025-27129)
Buffer overflow w Tenda AC6 — funkcja fromAddressNat
Buffer overflow w Tenda AC6 — funkcja formWifiWpsOOB
Buffer overflow w Tenda AC6 — funkcja formSetSpeedWan
Buffer overflow w Tenda AC6 – funkcja formexeCommand