Cyber Resilience

CVE-2026-2872

HighPublic PoC

Published: 21 February 2026

Published
21 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 42.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2872 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda A21 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-2872 is a stack-based buffer overflow vulnerability in Tenda A21 firmware version 1.0.0.0, published on 2026-02-21. It affects the set_device_name function within the /goform/setBlackRule endpoint of the MAC Filtering Configuration component. The flaw arises from improper handling of the devName/mac argument, as documented under CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability enables remote exploitation by an attacker with low privileges (PR:L per CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, scoring 8.8). No user interaction is required, and low complexity suffices for manipulation of the vulnerable argument. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially leading to remote code execution on the affected device.

Advisories on VulDB (ctiid.347109, id.347109, submit.754634) detail the issue and confirm remote exploitability. A GitHub repository (QIU-DIE/cve-nneeww/issues/3) has publicly disclosed an exploit. Security practitioners should check the vendor site at tenda.com.cn for patches or firmware updates to mitigate exposure.

EU & UK References

Vulnerability details

A security vulnerability has been detected in Tenda A21 1.0.0.0. This vulnerability affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. Such manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack…

more

may be performed from remote. The exploit has been disclosed publicly and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remotely exploitable stack-based buffer overflow in a public-facing web endpoint (/goform/setBlackRule) on Tenda A21 router firmware, enabling RCE, which directly maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2886Same product: Tenda A21
CVE-2026-2870Same product: Tenda A21
CVE-2026-2871Same product: Tenda A21
CVE-2026-2874Same product: Tenda A21
CVE-2026-2873Same product: Tenda A21
CVE-2025-8017Same vendor: Tenda
CVE-2025-14665Same vendor: Tenda
CVE-2026-5604Same vendor: Tenda
CVE-2025-11386Same vendor: Tenda
CVE-2025-7792Same vendor: Tenda

Affected Assets

tenda
a21 firmware
1.0.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents stack-based buffer overflow by validating the devName/mac argument in the /goform/setBlackRule endpoint prior to processing.

prevent

Mitigates the vulnerability by identifying, testing, and deploying firmware patches from the vendor to remediate the specific buffer overflow flaw.

prevent

Protects against exploitation of the stack-based buffer overflow through memory safeguards such as stack canaries, ASLR, and DEP.

References