CVE-2026-4254

CriticalPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be…

initiated remotely. The exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of flaws like the stack-based buffer overflow in the Tenda AC8 HTTP endpoint by applying vendor patches or firmware updates.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of HTTP inputs such as the local_2c argument to prevent stack-based buffer overflows in the doSystemCmd function.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protections like stack canaries and ASLR to mitigate remote exploitation of the buffer overflow vulnerability.

Security SummaryAI

CVE-2026-4254 is a stack-based buffer overflow vulnerability affecting Tenda AC8 router firmware versions up to 16.03.50.11. The flaw exists in the doSystemCmd function of the /goform/SysToolChangePwd component within the HTTP endpoint, where manipulation of the local_2c argument triggers the overflow. It is classified under CWEs 119, 121, and 787.

The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 9.8.

Advisories and reports are documented on VulDB (ctiid.351212, id.351212, submit.771773) and a GitHub repository detailing the CVE, including a publicly available exploit. The Tenda manufacturer's site (tenda.com.cn) is referenced, though specific patch details are not outlined in the disclosures.

The exploit has been made publicly available, heightening the potential for real-world attacks on vulnerable devices.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

tenda

ac8 firmware

≤ 16.03.50.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-4254 is a remotely exploitable buffer overflow in the HTTP endpoint (/goform/SysToolChangePwd) of a public-facing Tenda router, enabling unauthenticated attackers to achieve RCE, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/digitalandrew/tenda_ac8_v5/blob/main/CVE_Report_Tenda_AC8_SysToolChangePwd_BOF.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.351212
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.351212
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.771773
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com