CVE-2026-1420 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2026-1420?

CVE-2026-1420 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Tenda AC23 routers via a buffer overflow in the WifiExtraSet function. Attackers can exploit this without authentication by sending specially crafted requests to the vulnerable endpoint. All users running the affected firmware version are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC23 routers via a buffer overflow in the WifiExtraSet function. Attackers can exploit this without authentication by sending specially crafted requests to the vulnerable endpoint. All users running the affected firmware version are at risk.

💻 Affected Systems

Products:

Tenda AC23 router

Versions: 16.03.07.52

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The web management interface must be accessible (typically on port 80). Default configurations often expose this interface.

📦 What is this software?

Ac23 Firmware by Tenda

View all CVEs affecting Ac23 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router leading to persistent backdoor installation, network traffic interception, credential theft, and lateral movement to connected devices.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential harvesting, and use as a pivot point for attacks on internal networks.

🟢

If Mitigated

Limited impact if the router is behind a firewall with strict inbound filtering and the web interface is not exposed to the internet.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and a public PoC exists, making internet-exposed devices immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to pivot through the network, though it requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The PoC demonstrates reliable exploitation. The vulnerability requires no authentication and is straightforward to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: Yes

Instructions:

Check Tenda's official website or support portal for firmware updates. If available, download the latest firmware, upload it via the router's web interface, and reboot.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to the router's web interface by disabling remote management/WAN access features.

Restrict web interface access

all

Use firewall rules to block inbound access to port 80/443 on the router from untrusted networks.

🧯 If You Can't Patch

Segment the router on an isolated network VLAN to limit lateral movement potential.
Monitor for unusual outbound connections or unexpected configuration changes on the router.

🔍 How to Verify

Check if Vulnerable:

Check the firmware version in the router's web interface under System Status or similar. If version is 16.03.07.52, the device is vulnerable.

Check Version:

Connect to the router's web interface and navigate to System Status or use curl: curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

After updating, verify the firmware version has changed from 16.03.07.52 to a newer version.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/WifiExtraSet with long wpapsk_crypto parameters
Router reboot events or configuration changes not initiated by administrators

Network Indicators:

Unexpected outbound connections from the router to unknown IPs
DNS queries to suspicious domains from the router

SIEM Query:

source="router_logs" AND (uri_path="/goform/WifiExtraSet" AND content_length>1000)

📊 Metadata

CVE ID: CVE-2026-1420

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.08% exploit probability (24.3th percentile)

Published: January 26, 2026

Last Updated: January 28, 2026

🔗 References

https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md Exploit,Third Party Advisory
https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md#poc Exploit
https://vuldb.com/?ctiid.342836 Permissions Required,VDB Entry
https://vuldb.com/?id.342836 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.736559 Third Party Advisory,VDB Entry
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1420, you might also want to check these: