Login Sign Up

CVE-2026-2873

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability in Tenda A21 routers allows remote attackers to execute arbitrary code by manipulating time parameters in the setSchedWifi function. This affects Tenda A21 routers running firmware version 1.0.0.0. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:
  • Tenda A21
Versions: 1.0.0.0
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface accessible via LAN/WAN. No authentication required for exploitation.

📦 What is this software?

A21 Firmware by Tenda

View all CVEs affecting A21 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, persistent backdoor installation, and botnet recruitment.

🟠

Likely Case

Router compromise allowing traffic interception, DNS hijacking, credential theft, and denial of service to connected devices.

🟢

If Mitigated

Limited impact with proper network segmentation, though vulnerable devices remain at risk of compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub. Attack requires sending crafted HTTP POST request to /goform/openSchedWifi endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Access router admin panel. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Access router admin panel -> System -> Remote Management -> Disable

Network Segmentation

linux

Isolate router management interface from untrusted networks

iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP

🧯 If You Can't Patch

  • Replace affected router with patched or different model
  • Implement strict firewall rules blocking all external access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel. If version is 1.0.0.0, device is vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version has changed from 1.0.0.0 to a newer version after update.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /goform/openSchedWifi with abnormal time parameters
  • Multiple failed buffer overflow attempts in system logs

Network Indicators:

  • Unusual HTTP traffic to router management port (80/443) from external IPs
  • POST requests with long schedStartTime/schedEndTime parameters

SIEM Query:

source="router.log" AND (uri="/goform/openSchedWifi" AND (schedStartTime.length>50 OR schedEndTime.length>50))

📊 Metadata

CVE ID: CVE-2026-2873
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: February 21, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2873, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)