CVE-2026-13515 Overview
CVE-2026-13515 is a stack-based buffer overflow vulnerability affecting Tenda JD12L routers running firmware version 16.03.53.23. The flaw resides in the formSetPPTPServer function within the /goform/SetPptpServerCfg endpoint. Attackers can trigger the overflow by manipulating the startIp argument in a crafted request to the device's web management interface. The vulnerability is exploitable remotely over the network and the exploit has been publicly disclosed. Successful exploitation can lead to memory corruption and potential arbitrary code execution on the affected device, compromising the confidentiality, integrity, and availability of the router.
Critical Impact
Remote attackers with low-privileged access can trigger a stack-based buffer overflow via the startIp parameter, potentially leading to arbitrary code execution on affected Tenda JD12L devices.
Affected Products
- Tenda JD12L firmware version 16.03.53.23
- Vulnerable endpoint: /goform/SetPptpServerCfg
- Vulnerable function: formSetPPTPServer
Discovery Timeline
- 2026-06-29 - CVE-2026-13515 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2026-13515
Vulnerability Analysis
The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). The flaw exists in the formSetPPTPServer handler, which processes PPTP (Point-to-Point Tunneling Protocol) server configuration requests submitted to /goform/SetPptpServerCfg. The handler copies the user-supplied startIp argument into a fixed-size stack buffer without validating the length of the input.
When an attacker submits an oversized startIp value, the copy operation overwrites adjacent stack memory, including saved return addresses and control data. This corruption can crash the router service or, with a properly crafted payload, redirect execution flow to attacker-controlled code. Given the constrained MIPS/ARM environment typical of Tenda devices, exploitation commonly leads to command execution as the web server process, which typically runs with elevated privileges on embedded routers.
Root Cause
The root cause is missing bounds checking on the startIp parameter before it is written into a stack-allocated buffer inside formSetPPTPServer. The handler trusts the length of client-supplied form data, a recurring weakness across Tenda's goform interfaces.
Attack Vector
Exploitation requires network reachability to the router's HTTP management interface and low-privileged authenticated access. An attacker crafts an HTTP POST request to /goform/SetPptpServerCfg containing an overly long startIp value. The request triggers the stack overflow inside the router's httpd process. Public disclosure of the exploit increases the risk of opportunistic attacks against exposed devices.
A verified proof-of-concept is not included in this advisory. Refer to the GitHub Issue Report and the VulDB Vulnerability Detail for technical write-ups.
Detection Methods for CVE-2026-13515
Indicators of Compromise
- HTTP POST requests to /goform/SetPptpServerCfg containing abnormally long startIp parameter values.
- Unexpected reboots, httpd process crashes, or watchdog restarts on Tenda JD12L devices.
- Outbound connections from the router to unfamiliar hosts following configuration change requests.
Detection Strategies
- Deploy network intrusion detection signatures that inspect HTTP request bodies to /goform/SetPptpServerCfg and flag startIp values exceeding expected IPv4 string length.
- Monitor router syslog output for repeated segmentation faults or restarts of the web administration daemon.
- Correlate authentication events with subsequent PPTP configuration changes to detect misuse of low-privilege credentials.
Monitoring Recommendations
- Restrict and audit access to the router's management interface, logging all administrative HTTP requests.
- Alert on inbound traffic from the WAN to TCP ports hosting the router's web UI.
- Track firmware versions across the fleet and flag any JD12L device still running 16.03.53.23.
How to Mitigate CVE-2026-13515
Immediate Actions Required
- Disable remote WAN administration on affected Tenda JD12L devices and limit management to trusted LAN segments.
- Enforce strong, unique administrative credentials to reduce the risk of low-privileged exploitation.
- Disable the PPTP server feature if not required for operational needs.
- Segment vulnerable routers away from sensitive internal networks until remediation is applied.
Patch Information
At the time of publication, no vendor patch has been referenced in the advisory. Consult the Tenda Company Homepage and the VulDB CVE Report for updates on official firmware fixes.
Workarounds
- Block external access to TCP ports serving the router's web interface using an upstream firewall.
- Restrict access to /goform/SetPptpServerCfg via an ACL or reverse proxy where feasible.
- Replace end-of-life or unpatched devices with supported hardware if a fix is not released.
# Example: block external management access using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -i <wan_iface> -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -i <wan_iface> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

