Login Sign Up

CVE-2026-2930

6.3 MEDIUM
Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability in Tenda A18 routers allows remote attackers to execute arbitrary code by manipulating the boundary argument in the webCgiGetUploadFile function. This affects Tenda A18 routers running firmware version 15.13.07.13. Attackers can exploit this without authentication to potentially take control of affected devices.

💻 Affected Systems

Products:
  • Tenda A18
Versions: 15.13.07.13
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the HTTP service component on the router. No special configuration required for exploitation.

📦 What is this software?

A18 Firmware by Tenda

View all CVEs affecting A18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Device takeover for botnet recruitment, credential theft, or network traffic interception.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound rules and network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing router devices.
🏢 Internal Only: MEDIUM - Internal devices could be targeted through lateral movement or if exposed to internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Upload via router admin interface. 4. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Turn off remote administration features to prevent external exploitation.

Access router admin interface > Advanced Settings > Remote Management > Disable

Network Segmentation

all

Isolate router management interface to separate VLAN.

🧯 If You Can't Patch

  • Replace affected devices with patched or different models
  • Implement strict firewall rules blocking all inbound traffic to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 15.13.07.13, device is vulnerable.

Check Version:

Check via router web interface at 192.168.0.1 or 192.168.1.1

Verify Fix Applied:

Verify firmware version has been updated to a version newer than 15.13.07.13.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP POST requests to /cgi-bin/UploadCfg
  • Large boundary parameter values in upload requests

Network Indicators:

  • Exploit traffic patterns matching public PoC
  • Unexpected connections from router to external IPs

SIEM Query:

source_ip=router_ip AND dest_port=80 AND uri_path="/cgi-bin/UploadCfg" AND http_method="POST"

📊 Metadata

CVE ID: CVE-2026-2930
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-119
Published: February 22, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2930, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)