Cyber Resilience

CVE-2026-4903

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0546 91.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4903 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac5 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4903 is a stack-based buffer overflow vulnerability affecting Tenda AC5 routers running firmware version 15.03.06.47. The issue lies in the formQuickIndex function of the /goform/QuickIndex file within the POST Request Handler component, where manipulation of the PPPOEPassword argument triggers the overflow. Associated CWEs include CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-26.

An attacker with low privileges can exploit this remotely over the network with low attack complexity and no user interaction. Exploitation of the buffer overflow may enable high-impact compromise, including unauthorized access to sensitive data, modification of system integrity, and disruption of availability, potentially leading to full router control.

Advisories detail the issue on VulDB (ctiid.353654, id.353654, submit.777380) and a Notion page with exploit analysis, while the Tenda vendor site (tenda.com.cn) is referenced for potential updates. A public exploit has been published and may be used, heightening exploitation risk.

EU & UK References

Vulnerability details

A flaw has been found in Tenda AC5 15.03.06.47. This vulnerability affects the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. This manipulation of the argument PPPOEPassword causes stack-based buffer overflow. The attack may be initiated…

more

remotely. The exploit has been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in the router's remotely accessible web form handler (/goform/QuickIndex) directly enables remote exploitation of a public-facing network device interface, mapping to T1190 for initial access and full device compromise via published exploit.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4906Same product: Tenda Ac5
CVE-2026-4905Same product: Tenda Ac5
CVE-2026-4904Same product: Tenda Ac5
CVE-2026-4902Same product: Tenda Ac5
CVE-2026-4961Same vendor: Tenda
CVE-2025-9748Same vendor: Tenda
CVE-2026-4960Same vendor: Tenda
CVE-2026-4254Same vendor: Tenda
CVE-2026-5155Same vendor: Tenda
CVE-2026-5152Same vendor: Tenda

Affected Assets

tenda
ac5 firmware
15.03.06.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs such as the PPPOEPassword argument in POST requests to prevent stack-based buffer overflows from oversized or malformed data.

prevent

SI-2 mandates identification, reporting, and correction of flaws like the buffer overflow in the formQuickIndex function of Tenda AC5 firmware.

prevent

SI-16 enforces memory protections such as stack canaries and non-executable stacks to mitigate exploitation of the stack-based buffer overflow vulnerability.

References