Cyber Resilience

CVE-2026-4489

High

Published: 20 March 2026

Published
20 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4489 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4489 is a stack-based buffer overflow vulnerability in the Tenda A18 Pro router running firmware version 02.03.02.28. The issue resides in the form_fast_setting_wifi_set function within the /goform/fast_setting_wifi_set file. Published on 2026-03-20, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and without user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device. A public exploit is available, increasing the risk of widespread abuse.

Advisories and details are documented in references including a GitHub issue at https://github.com/lilukun337/cve/issues/1 and VulDB entries at https://vuldb.com/?ctiid.352015, https://vuldb.com/?id.352015, and https://vuldb.com/?submit.773619, with the vendor site at https://www.tenda.com.cn/. No specific patch or mitigation details are outlined in the available information.

EU & UK References

Vulnerability details

A vulnerability was detected in Tenda A18 Pro 02.03.02.28. This vulnerability affects the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set. The manipulation results in stack-based buffer overflow. The attack may be launched remotely. The exploit is now public and may be…

more

used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Stack-based buffer overflow in publicly exposed web form (/goform/fast_setting_wifi_set) on network device directly enables remote exploitation of a public-facing application (T1190) and arbitrary code execution from low-privileged access, facilitating privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3729Shared CWE-119, CWE-121
CVE-2026-6133Shared CWE-119, CWE-121
CVE-2026-4553Shared CWE-119, CWE-121
CVE-2026-2905Shared CWE-119, CWE-121
CVE-2026-5608Shared CWE-119, CWE-121
CVE-2026-6124Shared CWE-119, CWE-121
CVE-2026-2928Shared CWE-119, CWE-121
CVE-2026-2853Shared CWE-119, CWE-121
CVE-2026-2885Shared CWE-119, CWE-121
CVE-2026-2181Shared CWE-119, CWE-121

Affected Assets

Com
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of flaws such as the stack-based buffer overflow in the form_fast_setting_wifi_set function by applying firmware patches or updates.

prevent

SI-10 enforces validation of inputs to the /goform/fast_setting_wifi_set endpoint, directly preventing the buffer overflow exploitation from malformed WiFi setting data.

prevent

SI-16 implements memory protections like stack canaries and non-executable stacks to block arbitrary code execution from the stack-based buffer overflow.

References