CVE-2026-2872

HighPublic PoC

Published: 21 February 2026

Published

21 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Tenda A21 1.0.0.0. This vulnerability affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. Such manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack…

may be performed from remote. The exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents stack-based buffer overflow by validating the devName/mac argument in the /goform/setBlackRule endpoint prior to processing.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability by identifying, testing, and deploying firmware patches from the vendor to remediate the specific buffer overflow flaw.

SI-16 Memory Protection good match

prevent

Protects against exploitation of the stack-based buffer overflow through memory safeguards such as stack canaries, ASLR, and DEP.

Security SummaryAI

CVE-2026-2872 is a stack-based buffer overflow vulnerability in Tenda A21 firmware version 1.0.0.0, published on 2026-02-21. It affects the set_device_name function within the /goform/setBlackRule endpoint of the MAC Filtering Configuration component. The flaw arises from improper handling of the devName/mac argument, as documented under CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability enables remote exploitation by an attacker with low privileges (PR:L per CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, scoring 8.8). No user interaction is required, and low complexity suffices for manipulation of the vulnerable argument. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially leading to remote code execution on the affected device.

Advisories on VulDB (ctiid.347109, id.347109, submit.754634) detail the issue and confirm remote exploitability. A GitHub repository (QIU-DIE/cve-nneeww/issues/3) has publicly disclosed an exploit. Security practitioners should check the vendor site at tenda.com.cn for patches or firmware updates to mitigate exposure.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

a21 firmware

1.0.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remotely exploitable stack-based buffer overflow in a public-facing web endpoint (/goform/setBlackRule) on Tenda A21 router firmware, enabling RCE, which directly maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/QIU-DIE/cve-nneeww/issues/3
Exploit, Issue Tracking, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347109
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347109
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.754634
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com