Cyber Resilience

CVE-2026-7034

HighPublic PoC

Published: 26 April 2026

Published
26 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 45.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7034 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Fh1202 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7034 is a stack-based buffer overflow vulnerability affecting the Tenda FH1202 router on firmware version 1.2.0.14(408). The flaw resides in the WrlExtraSet function within the /goform/WrlExtraSet file of the httpd component, where manipulation of the "Go" argument triggers the overflow. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges can exploit this vulnerability remotely without user interaction. By sending a crafted request to the affected endpoint, the adversary triggers the buffer overflow, potentially achieving arbitrary code execution with high impacts on confidentiality, integrity, and availability. A public exploit is available, increasing the risk of widespread abuse.

VULDB advisories (vuln/359614 and related entries) document the issue and submission details, while a GitHub repository provides a proof-of-concept exploit in its README. The Tenda vendor website is listed as a reference, though specific patch details are not outlined in the available information. Security practitioners should check for firmware updates directly from the vendor.

EU & UK References

Vulnerability details

A vulnerability was found in Tenda FH1202 1.2.0.14(408). Affected by this issue is the function WrlExtraSet of the file /goform/WrlExtraSet of the component httpd. Performing a manipulation of the argument Go results in stack-based buffer overflow. The attack may be…

more

initiated remotely. The exploit has been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote stack-based buffer overflow in the web management interface (/goform/WrlExtraSet) of a router, directly enabling exploitation of a public-facing application for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7035Same product: Tenda Fh1202
CVE-2025-7531Same product: Tenda Fh1202
CVE-2025-7527Same product: Tenda Fh1202
CVE-2025-7532Same product: Tenda Fh1202
CVE-2025-7529Same product: Tenda Fh1202
CVE-2025-7528Same product: Tenda Fh1202
CVE-2025-7530Same product: Tenda Fh1202
CVE-2026-3809Same product: Tenda Fh1202
CVE-2026-3811Same product: Tenda Fh1202
CVE-2026-3807Same product: Tenda Fh1202

Affected Assets

tenda
fh1202 firmware
1.2.0.14\(408\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor firmware updates directly eliminates the stack-based buffer overflow in the WrlExtraSet function of the httpd component.

prevent

Information input validation restricts the 'Go' argument to safe lengths and formats, preventing the buffer overflow triggered by crafted HTTP requests to /goform/WrlExtraSet.

prevent

Memory protection mechanisms like stack canaries or non-executable memory mitigate exploitation of the stack-based buffer overflow even if invalid input reaches the vulnerable function.

References