Login Sign Up

CVE-2026-2874

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability in Tenda A21 routers allows remote attackers to execute arbitrary code by manipulating the SSID parameter. This affects Tenda A21 routers running firmware version 1.0.0.0. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:
  • Tenda A21
Versions: 1.0.0.0
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: All Tenda A21 routers running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

A21 Firmware by Tenda

View all CVEs affecting A21 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, persistent backdoor installation, and data exfiltration.

🟠

Likely Case

Router compromise allowing traffic interception, DNS hijacking, credential theft, and use as botnet node for DDoS attacks.

🟢

If Mitigated

Limited impact with proper network segmentation, but still vulnerable to denial of service if exploited.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices immediate targets.
🏢 Internal Only: MEDIUM - Internal devices still vulnerable to network-based attacks but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in GitHub repository, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router administration interface

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Replace affected routers with patched or different models
  • Implement strict firewall rules blocking all external access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.0.0.0, device is vulnerable.

Check Version:

Check via router web interface at 192.168.0.1 or 192.168.1.1

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.0.0.0

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/fast_setting_wifi_set with long SSID parameters
  • Router crash/reboot logs
  • Unusual outbound connections from router

Network Indicators:

  • Exploit traffic patterns to router management interface
  • Unusual DNS queries from router
  • Router responding abnormally to management requests

SIEM Query:

source="router_logs" AND (uri="/goform/fast_setting_wifi_set" AND content_length>100) OR (event="crash" AND device="Tenda_A21")

📊 Metadata

CVE ID: CVE-2026-2874
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: February 21, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2874, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)