Cyber Posture

CVE-2026-2203

HighPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in Tenda AC8 16.03.33.05. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set of the component Embedded Httpd Service. This manipulation of the argument timeZone causes buffer overflow. Remote exploitation of the…

more

attack is possible. The exploit has been published and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the buffer overflow flaw in the Tenda AC8 Embedded Httpd Service by applying firmware patches or updates.

SI-10 Information Input Validation good match
prevent

Enforces validation of the timeZone argument in /goform/fast_setting_wifi_set to prevent buffer overflow from malformed input.

SI-16 Memory Protection partial match
prevent

Implements memory protections like ASLR and DEP to mitigate successful exploitation of the buffer overflow vulnerability.

Security SummaryAI

CVE-2026-2203 is a buffer overflow vulnerability affecting the Tenda AC8 router running firmware version 16.03.33.05. The flaw resides in an unknown functionality of the /goform/fast_setting_wifi_set file within the Embedded Httpd Service component. Manipulating the timeZone argument triggers the buffer overflow, as classified under CWE-119 and CWE-120. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-09.

The vulnerability enables remote exploitation by attackers with low privileges (PR:L), requiring network access but low complexity and no user interaction. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full compromise of the affected device.

Advisories and references, including those from VulDB (ctiid.344906, id.344906, submit.750226), document the issue but do not specify official patches or mitigations in the available details. A proof-of-concept exploit is publicly available on GitHub at repositories under SunnyYANGyaya/cuicuishark-sheep-fishIOT, including a dedicated markdown file and PoC section for the Tenda AC8 fast_setting_wifi_set timeZone manipulation.

In notable context, the published exploit increases the risk of real-world attacks on unpatched Tenda AC8 devices, particularly in IoT environments.

Details

CWE(s)
CWE-119CWE-120

Affected Products

tenda
ac8 firmware
16.03.33.05

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Buffer overflow in the Embedded Httpd Service web interface (/goform/fast_setting_wifi_set) of a public-facing router enables exploitation of public-facing applications (T1190). With PR:L required but leading to full compromise (high C/I/A), it facilitates exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References