Cyber Resilience

CVE-2026-4254

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0089 54.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4254 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4254 is a stack-based buffer overflow vulnerability affecting Tenda AC8 router firmware versions up to 16.03.50.11. The flaw exists in the doSystemCmd function of the /goform/SysToolChangePwd component within the HTTP endpoint, where manipulation of the local_2c argument triggers the overflow. It is classified under CWEs 119, 121, and 787.

The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 9.8.

Advisories and reports are documented on VulDB (ctiid.351212, id.351212, submit.771773) and a GitHub repository detailing the CVE, including a publicly available exploit. The Tenda manufacturer's site (tenda.com.cn) is referenced, though specific patch details are not outlined in the disclosures.

The exploit has been made publicly available, heightening the potential for real-world attacks on vulnerable devices.

EU & UK References

Vulnerability details

A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be…

more

initiated remotely. The exploit has been made available to the public and could be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-4254 is a remotely exploitable buffer overflow in the HTTP endpoint (/goform/SysToolChangePwd) of a public-facing Tenda router, enabling unauthenticated attackers to achieve RCE, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1853Same product: Tenda Ac8
CVE-2025-51087Same product: Tenda Ac8
CVE-2025-29100Same product: Tenda Ac8
CVE-2024-57704Same product: Tenda Ac8
CVE-2026-2202Same product: Tenda Ac8
CVE-2024-57703Same product: Tenda Ac8
CVE-2025-25663Same product: Tenda Ac8
CVE-2025-25664Same product: Tenda Ac8
CVE-2026-3044Same product: Tenda Ac8
CVE-2026-4252Same product: Tenda Ac8

Affected Assets

tenda
ac8 firmware
≤ 16.03.50.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of flaws like the stack-based buffer overflow in the Tenda AC8 HTTP endpoint by applying vendor patches or firmware updates.

prevent

SI-10 mandates validation of HTTP inputs such as the local_2c argument to prevent stack-based buffer overflows in the doSystemCmd function.

prevent

SI-16 implements memory protections like stack canaries and ASLR to mitigate remote exploitation of the buffer overflow vulnerability.

References