CVE-2026-4974

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4974 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of the Time argument in the /goform/SetSysTimeCfg POST handler to prevent stack-based buffer overflow exploitation.

SI-16 Memory Protection good match

prevent

Implements memory protections like stack canaries and non-executable memory stacks to block exploitation of the stack-based buffer overflow in fromSetSysTime.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as patching the vulnerable firmware version 15.03.06.44 to eliminate the buffer overflow vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Stack buffer overflow in router web POST handler (/goform/SetSysTimeCfg) enables remote authenticated RCE on public-facing device interface (T1190) and directly supports privilege escalation from low-priv web account to full code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue is the function fromSetSysTime of the file /goform/SetSysTimeCfg of the component POST Request Handler. Executing a manipulation of the argument Time can lead to stack-based buffer overflow.…

It is possible to launch the attack remotely. The exploit has been published and may be used.

Deeper analysisAI

CVE-2026-4974 is a stack-based buffer overflow vulnerability in the Tenda AC7 router running firmware version 15.03.06.44. The flaw resides in the fromSetSysTime function within the /goform/SetSysTimeCfg component of the POST Request Handler. By manipulating the Time argument, an attacker can trigger the overflow, as identified by CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-27.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.

Advisories from VulDB (ctiid.353861, id.353861, submit.778207) document the issue, and a proof-of-concept exploit is publicly available on a Notion site. The vendor's site at tenda.com.cn is referenced, but no specific patch or mitigation details are outlined in the available information.

An exploit has been published, indicating potential for real-world abuse against unpatched Tenda AC7 routers.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

tenda

ac7 firmware

15.03.06.44

CVEs Like This One

CVE-2025-11528Same product: Tenda Ac7

CVE-2025-8017Same product: Tenda Ac7

CVE-2025-11525Same product: Tenda Ac7

CVE-2025-11527Same product: Tenda Ac7

CVE-2025-1851Same product: Tenda Ac7

CVE-2025-11526Same product: Tenda Ac7

CVE-2025-11586Same product: Tenda Ac7

CVE-2025-11524Same product: Tenda Ac7

CVE-2025-29135Same product: Tenda Ac7

CVE-2025-29137Same product: Tenda Ac7

References

https://lavender-bicycle-a5a.notion.site/Tenda-AC7-fromSetSysTime-32153a41781f801c95b0f8a53eaa9a1f?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.353861
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.353861
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.778207
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com