CVE-2026-5830
Published: 09 April 2026
Summary
CVE-2026-5830 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow by requiring timely testing and installation of firmware patches for the affected Tenda AC15 device.
Prevents exploitation of the buffer overflow in websGetVar by validating and restricting the length/content of oldPwd, newPwd, and cfmPwd inputs.
Mitigates stack-based buffer overflow impacts through memory protection mechanisms like stack canaries, ASLR, and non-executable stacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing web interface (/goform/SysToolChangePwd) enables remote authenticated exploitation for arbitrary code execution on Linux-based router, directly mapping to T1190 and facilitating T1059.004.
NVD Description
A vulnerability was identified in Tenda AC15 15.03.05.18. This affects the function websGetVar of the file /goform/SysToolChangePwd. Such manipulation of the argument oldPwd/newPwd/cfmPwd leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and…
more
might be used.
Deeper analysisAI
CVE-2026-5830 is a stack-based buffer overflow vulnerability affecting the Tenda AC15 router on firmware version 15.03.05.18. The flaw exists in the websGetVar function of the /goform/SysToolChangePwd file, where manipulation of the oldPwd, newPwd, or cfmPwd arguments triggers the overflow. Published on 2026-04-09, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and 121 (Stack-based Buffer Overflow).
The vulnerability enables remote exploitation by attackers with low privileges, such as authenticated users on the device. By sending crafted requests to the affected endpoint, an attacker can overflow the stack, potentially leading to arbitrary code execution and high-impact compromise of confidentiality, integrity, and availability.
Advisories on VulDB (https://vuldb.com/vuln/356277, https://vuldb.com/vuln/356277/cti, https://vuldb.com/submit/789178) document the issue and related CTI. The Tenda vendor site (https://www.tenda.com.cn/) is referenced for potential firmware updates or guidance.
A public exploit is available at https://files.catbox.moe/xrk8jb.zip, heightening the risk of real-world attacks against unpatched Tenda AC15 devices.
Details
- CWE(s)