CVE-2026-2192 – This CVE describes a stack-based buffer overflo... (How to Fix)

Q: What is the severity of CVE-2026-2192?

CVE-2026-2192 has a CVSS score of 7.2 (HIGH). This CVE describes a stack-based buffer overflow vulnerability in Tenda AC9 routers' formGetRebootTimer function. Attackers can exploit this remotely by manipulating sys.schedulereboot.start_time/sys.schedulereboot.end_time parameters to execute arbitrary code. Users of Tenda AC9 routers with vulnerable firmware are affected.

📋 TL;DR

This CVE describes a stack-based buffer overflow vulnerability in Tenda AC9 routers' formGetRebootTimer function. Attackers can exploit this remotely by manipulating sys.schedulereboot.start_time/sys.schedulereboot.end_time parameters to execute arbitrary code. Users of Tenda AC9 routers with vulnerable firmware are affected.

💻 Affected Systems

Products:

Tenda AC9

Versions: 15.03.06.42_multi

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running this specific firmware version are vulnerable by default. The vulnerability exists in the web management interface.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistent backdoor installation, and lateral movement to connected networks.

🟠

Likely Case

Router compromise allowing traffic interception, DNS hijacking, credential theft, and denial of service.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making internet-exposed devices immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires network access to the router's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available in GitHub repositories. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for AC9 model. 3. Access router web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload new firmware file. 6. Wait for automatic reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Network Segmentation

all

Isolate router management interface to trusted network

🧯 If You Can't Patch

Replace affected router with updated model or different vendor
Implement strict firewall rules blocking all WAN access to router management ports (typically 80/443)

🔍 How to Verify

Check if Vulnerable:

Access router web interface > System Status > Firmware Version. Check if version matches 15.03.06.42_multi.

Check Version:

curl -s http://router-ip/goform/GetSysInfo | grep firmware_version

Verify Fix Applied:

After firmware update, verify version no longer shows 15.03.06.42_multi. Test if formGetRebootTimer endpoint still accepts malformed input.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/formGetRebootTimer
Multiple failed reboot schedule attempts
Buffer overflow error messages in system logs

Network Indicators:

Unusual traffic patterns from router to external IPs
DNS queries to suspicious domains from router
Port scanning originating from router

SIEM Query:

source="router-logs" AND (uri="/goform/formGetRebootTimer" OR message="*buffer overflow*" OR message="*schedulereboot*")

📊 Metadata

CVE ID: CVE-2026-2192

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.09% exploit probability (26.4th percentile)

Published: February 8, 2026

Last Updated: February 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2192, you might also want to check these: