CVE-2026-7055

HighPublic PoC

Published: 26 April 2026

Published

26 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Tenda F456 1.0.0.5. This issue affects the function fromVirtualSer of the file /goform/VirtualSer of the component httpd. The manipulation of the argument menufacturer/Go leads to buffer overflow. The attack is possible to be…

carried out remotely. The exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the buffer overflow flaw in the Tenda F456 httpd component through firmware patches or updates.

SI-10 Information Input Validation good match

prevent

Mandates validation of the 'menufacturer/Go' argument in the fromVirtualSer function to prevent buffer overflow exploitation.

SI-16 Memory Protection partial match

prevent

Deploys memory protections like ASLR and stack canaries to mitigate remote code execution from the buffer overflow.

Security SummaryAI

CVE-2026-7055 is a buffer overflow vulnerability affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw exists in the fromVirtualSer function within the /goform/VirtualSer file of the httpd component, triggered by manipulation of the "menufacturer/Go" argument.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is remotely exploitable. Attackers with low privileges, such as authenticated users, can trigger the buffer overflow over the network with low complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability, including remote code execution.

Advisories detail the issue on VulDB at https://vuldb.com/vuln/359628 and https://vuldb.com/vuln/359628/cti, with a proof-of-concept exploit publicly disclosed on GitHub at https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_126/README.md. Additional submission details are at https://vuldb.com/submit/798457, and the vendor site is https://www.tenda.com.cn/. The exploit has been disclosed publicly and may be used.

Details

CWE(s): CWE-119 CWE-120

Affected Products

tenda

f456 firmware

1.0.0.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in the httpd web component (/goform/VirtualSer) of a public-facing router web interface, remotely exploitable for RCE, directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_126/README.md
Exploit, Vendor Advisory · cna@vuldb.com
https://vuldb.com/submit/798457
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359628
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359628/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com