Login Sign Up

CVE-2026-2191

7.2 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability exists in Tenda AC9 routers running firmware version 15.03.06.42_multi. Remote attackers can exploit this by manipulating the security.ddos.map argument in the formGetDdosDefenceList function to execute arbitrary code. This affects users of vulnerable Tenda AC9 routers exposed to network access.

💻 Affected Systems

Products:
  • Tenda AC9
Versions: 15.03.06.42_multi
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only this specific firmware version is confirmed affected. Other versions may be vulnerable but unconfirmed.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence installation, network pivoting, and data exfiltration.

🟠

Likely Case

Device crash/reboot causing service disruption, or limited code execution for network reconnaissance.

🟢

If Mitigated

Denial of service from failed exploitation attempts if proper network segmentation exists.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists for internet-facing devices.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available in GitHub repositories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AC9
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Wait for router to reboot

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Tenda AC9 routers from untrusted networks and limit access to management interfaces.

Disable Remote Management

all

Turn off WAN-side management access to prevent external exploitation.

🧯 If You Can't Patch

  • Replace vulnerable devices with patched or different model routers
  • Implement strict firewall rules to block all traffic to router management interfaces from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Upgrade section.

Check Version:

Login to router web interface and navigate to System Status page

Verify Fix Applied:

Verify firmware version has changed from 15.03.06.42_multi to a newer version.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed connection attempts to router management interface
  • Unusual POST requests to formGetDdosDefenceList endpoint
  • Router reboot logs without user action

Network Indicators:

  • Unusual traffic patterns to router management port (typically 80/443)
  • Exploit payload patterns in network traffic

SIEM Query:

source_ip="router_ip" AND (uri_path="*formGetDdosDefenceList*" OR event_type="device_reboot")

📊 Metadata

CVE ID: CVE-2026-2191
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.09% exploit probability (26.4th percentile)
Published: February 8, 2026
Last Updated: February 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2191, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)