CVE-2026-7033
Published: 26 April 2026
Summary
CVE-2026-7033 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F456 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the buffer overflow by requiring timely installation of firmware patches or mitigations for the fromSafeClientFilter function vulnerability.
Prevents the buffer overflow by enforcing validation and sanitization of the 'menufacturer/Go' argument in the /goform/SafeClientFilter endpoint.
Mitigates exploitation of the buffer overflow through memory protections like non-executable stacks and address randomization on the router firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing web interface (/goform/SafeClientFilter) on Tenda router enables remote code execution with low privileges and no user interaction, directly facilitating T1190.
NVD Description
A vulnerability has been found in Tenda F456 1.0.0.5. Affected by this vulnerability is the function fromSafeClientFilter of the file /goform/SafeClientFilter. Such manipulation of the argument menufacturer/Go leads to buffer overflow. The attack can be launched remotely. The exploit has…
more
been disclosed to the public and may be used.
Deeper analysisAI
CVE-2026-7033 is a buffer overflow vulnerability in Tenda F456 routers running firmware version 1.0.0.5. The flaw affects the fromSafeClientFilter function in the /goform/SafeClientFilter file, where manipulation of the "menufacturer/Go" argument triggers the overflow. Published on 2026-04-26, it is rated 8.8 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 and CWE-120.
The vulnerability enables remote exploitation by an attacker possessing low privileges, requiring no user interaction and low attack complexity. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.
Advisories and references include a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_123/README.md detailing the exploit, which has been publicly disclosed and may be used, along with VulDB submissions and vulnerability pages at https://vuldb.com/submit/798454, https://vuldb.com/vuln/359613, and https://vuldb.com/vuln/359613/cti. The Tenda manufacturer site is available at https://www.tenda.com.cn/.
Details
- CWE(s)