CVE-2026-2180

HighPublic PoC

Published: 08 February 2026

Published

08 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Tenda RX3 16.03.13.11. Affected is an unknown function of the file /goform/fast_setting_wifi_set. Such manipulation of the argument ssid_5g leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and…

might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents stack buffer overflows by enforcing input validation on parameters like ssid_5g at web endpoints such as /goform/fast_setting_wifi_set.

SI-16 Memory Protection good match

prevent

Mitigates exploitation of stack-based buffer overflows through memory protections like stack canaries and address space layout randomization.

SI-2 Flaw Remediation good match

prevent

Requires timely patching and remediation of the specific buffer overflow flaw in Tenda RX3 firmware version 16.03.13.11.

Security SummaryAI

CVE-2026-2180 is a stack-based buffer overflow vulnerability in Tenda RX3 firmware version 16.03.13.11. The flaw affects an unknown function in the /goform/fast_setting_wifi_set file, triggered by manipulation of the ssid_5g argument. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation by attackers with low privileges, such as authenticated users, requiring low complexity and no user interaction. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially leading to arbitrary code execution on the device. A public exploit is available, which may facilitate its use in the wild.

Advisories and additional details are provided by VulDB (ctiid.344883, id.344883, submit.749703) and a GitHub issue at LX-66-LX/cve-new/issues/4, along with the vendor site at tenda.com.cn. Security practitioners should review these references for any patch availability or mitigation guidance.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

rx3 firmware

16.03.13.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in router web interface (/goform/fast_setting_wifi_set) allows remote authenticated attackers to achieve arbitrary code execution, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LX-66-LX/cve-new/issues/4
Exploit, Issue Tracking · cna@vuldb.com
https://vuldb.com/?ctiid.344883
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.344883
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.749703
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com