Skip to main content
CVE Vulnerability Database

CVE-2026-5609: Tenda I12 Firmware Buffer Overflow Flaw

CVE-2026-5609 is a stack-based buffer overflow flaw in Tenda I12 Firmware affecting the formwrlSSIDset function. Attackers can exploit this remotely to compromise devices. This article covers technical details, impact, and mitigation.

Updated:

CVE-2026-5609 Overview

CVE-2026-5609 is a stack-based buffer overflow vulnerability affecting Tenda i12 firmware version 1.0.0.11(3862). The flaw resides in the formwrlSSIDset function within the /goform/wifiSSIDset endpoint of the Parameter Handler component. Attackers can manipulate the index and wl_radio arguments to overflow a stack buffer. The issue is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Public exploit details have been disclosed, increasing the likelihood of opportunistic exploitation against exposed devices.

Critical Impact

Remote attackers with low privileges can corrupt stack memory on Tenda i12 access points, enabling potential code execution and full device compromise.

Affected Products

  • Tenda i12 access point hardware
  • Tenda i12 firmware version 1.0.0.11(3862)
  • Deployments exposing /goform/wifiSSIDset to untrusted networks

Discovery Timeline

  • 2026-04-06 - CVE-2026-5609 published to NVD
  • 2026-04-30 - Last updated in NVD database

Technical Details for CVE-2026-5609

Vulnerability Analysis

The vulnerability exists in the formwrlSSIDset handler that processes wireless SSID configuration requests sent to /goform/wifiSSIDset. The handler reads the index and wl_radio HTTP parameters without enforcing length boundaries before copying them into a fixed-size stack buffer. Supplying oversized values overwrites adjacent stack memory, including saved return addresses and local variables. Successful exploitation can redirect execution flow on the embedded MIPS or ARM target. The attack proceeds over the network and requires only authenticated low-privilege access to the device management interface.

Root Cause

The defect stems from missing input validation in the Parameter Handler component. The formwrlSSIDset routine trusts user-supplied request parameters and uses unsafe copy operations against a bounded stack buffer. Without length checks or safe string functions, attacker-controlled data overruns the destination buffer. This pattern is consistent with [CWE-119] memory boundary violations common in consumer router firmware.

Attack Vector

Attackers reach the vulnerable endpoint by sending a crafted HTTP request to /goform/wifiSSIDset on the management interface. The request must include oversized index or wl_radio parameter values to trigger the overflow. Network reachability to the management plane is required, along with valid low-privilege credentials. Devices exposing management to the WAN or guest networks face the highest risk. Refer to the GitHub vulnerability documentation and VulDB entry #355400 for additional technical details.

Detection Methods for CVE-2026-5609

Indicators of Compromise

  • HTTP POST requests to /goform/wifiSSIDset containing abnormally long index or wl_radio parameter values.
  • Unexpected reboots, watchdog resets, or httpd crashes on Tenda i12 devices following configuration changes.
  • Configuration drift in wireless SSID or radio parameters that does not match administrator activity.

Detection Strategies

  • Inspect web server and reverse-proxy logs for wifiSSIDset requests with parameter lengths exceeding expected SSID or radio identifier sizes.
  • Deploy network intrusion detection signatures that flag oversized form parameters destined for /goform/ endpoints on Tenda devices.
  • Correlate device crash telemetry with inbound management traffic to identify exploitation attempts.

Monitoring Recommendations

  • Forward Tenda i12 syslog output to a centralized logging platform and alert on repeated httpd restarts.
  • Monitor administrative authentication events on access points for unusual login sources or times.
  • Track outbound connections from access points to detect post-exploitation command-and-control traffic.

How to Mitigate CVE-2026-5609

Immediate Actions Required

  • Restrict access to the Tenda i12 management interface to trusted administrative VLANs only.
  • Disable remote WAN-side management on all Tenda i12 deployments until a vendor patch is available.
  • Rotate administrative credentials on affected devices to limit abuse of low-privilege accounts required for exploitation.
  • Inventory all Tenda i12 units running firmware 1.0.0.11(3862) and prioritize them for remediation.

Patch Information

At the time of publication, Tenda has not released a fixed firmware version for CVE-2026-5609. Monitor the Tenda security portal for firmware updates addressing the formwrlSSIDset handler. Apply vendor-supplied updates immediately upon release and validate that the patched firmware enforces parameter length limits on /goform/wifiSSIDset.

Workarounds

  • Place affected access points behind a firewall that blocks inbound HTTP and HTTPS requests to the management port from untrusted networks.
  • Use web application firewall or reverse-proxy rules to drop requests to /goform/wifiSSIDset containing oversized index or wl_radio values.
  • Segment Tenda i12 devices onto a dedicated management network with strict access control lists.
  • Consider replacing end-of-support hardware with models receiving active security maintenance if no patch is issued.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.