CVE-2026-0640 – A buffer overflow vulnerability in Tenda AC23 r... (How to Fix)

📋 TL;DR

A buffer overflow vulnerability in Tenda AC23 routers allows remote attackers to execute arbitrary code by manipulating the Time parameter in the PowerSaveSet function. This affects users running firmware version 16.03.07.52. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

Tenda AC23

Versions: 16.03.07.52

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Ac23 Firmware by Tenda

View all CVEs affecting Ac23 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, and lateral movement to other devices.

🟠

Likely Case

Router takeover allowing attackers to modify DNS settings, intercept traffic, or launch attacks against internal network devices.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists.

🏢 Internal Only: MEDIUM - Attackers with internal network access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exploit available on GitHub demonstrates remote code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AC23
3. Upload via router admin interface
4. Reboot router after update

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router administration interface

Access router admin panel > Advanced > System > Remote Management > Disable

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Replace affected router with different model or vendor
Place router behind dedicated firewall with strict inbound filtering

🔍 How to Verify

Check if Vulnerable:

Access router admin interface and check firmware version under System Status

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than 16.03.07.52

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/PowerSaveSet
Multiple failed buffer overflow attempts

Network Indicators:

Unusual traffic patterns from router
Router making unexpected outbound connections

SIEM Query:

source_ip=router_ip AND uri_path="/goform/PowerSaveSet" AND method="POST"

📊 Metadata

CVE ID: CVE-2026-0640

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.1% exploit probability (26.8th percentile)

Published: January 6, 2026

Last Updated: January 15, 2026

🔗 References

https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md Exploit,Third Party Advisory
https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md#poc Exploit,Third Party Advisory
https://vuldb.com/?ctiid.339683 Permissions Required,VDB Entry
https://vuldb.com/?id.339683 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.731772 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0640, you might also want to check these: