CVE-2026-4904

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4904 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac5 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of the funcpara1 argument in POST requests to /goform/setcfm, directly preventing the stack-based buffer overflow exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, testing, and installation of firmware patches for the known buffer overflow flaw in Tenda AC5 version 15.03.06.47.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries and address space layout randomization to mitigate stack-based buffer overflow exploits even if the input flaw persists.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in authenticated web form handler (/goform/setcfm) on network device directly enables remote exploitation of a public-facing application (T1190) for arbitrary code execution and full compromise; low-privilege authenticated access to high-impact RCE maps to exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been found in Tenda AC5 15.03.06.47. This issue affects the function formSetCfm of the file /goform/setcfm of the component POST Request Handler. Such manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack may be…

launched remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2026-4904 is a stack-based buffer overflow vulnerability affecting Tenda AC5 routers on firmware version 15.03.06.47. The flaw exists in the formSetCfm function of the /goform/setcfm file within the POST Request Handler component, where manipulation of the funcpara1 argument triggers the overflow.

The vulnerability is exploitable remotely over the network by an attacker with low privileges, such as an authenticated user, requiring low attack complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution and full device compromise.

Advisories detail the issue on VulDB (ctiid.353655, id.353655, submit.777381) and a Notion page with exploit information, while the Tenda vendor site is referenced for potential updates. No specific patches are outlined in the available data.

The exploit has been publicly disclosed, heightening the risk for exposed Tenda AC5 devices.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

tenda

ac5 firmware

15.03.06.47

CVEs Like This One

CVE-2026-4902Same product: Tenda Ac5

CVE-2026-4905Same product: Tenda Ac5

CVE-2026-4903Same product: Tenda Ac5

CVE-2026-4906Same product: Tenda Ac5

CVE-2026-4008Same vendor: Tenda

CVE-2026-4043Same vendor: Tenda

CVE-2026-3971Same vendor: Tenda

CVE-2026-4042Same vendor: Tenda

CVE-2026-3970Same vendor: Tenda

CVE-2026-4975Same vendor: Tenda

References

https://lavender-bicycle-a5a.notion.site/Tenda_AC5_setcfm_funcpara1-32053a41781f8073a4d6ef8076abe644?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.353655
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.353655
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.777381
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com