PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9389 Tenda CVE debrief

A buffer overflow vulnerability in the Tenda F456 router firmware version 1.0.0.5 allows remote attackers to execute arbitrary code via the `page` parameter in the `/goform/L7Im` endpoint's `frmL7ImForm` function. The vulnerability has a CVSS 4.0 score of 7.4 (HIGH severity) and public exploit disclosure increases immediate risk. The affected product is a consumer-grade wireless router, and successful exploitation could lead to complete device compromise. No CISA KEV listing or vendor patch is confirmed at this time.

Vendor
Tenda
Product
F456
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-24
Original CVE updated
2026-05-26
Advisory published
2026-05-24
Advisory updated
2026-05-26

Who should care

Network administrators managing Tenda F456 deployments; security teams responsible for consumer-grade router infrastructure; SOHO and residential users with this device model; incident response teams tracking IoT exploitation campaigns

Technical summary

The vulnerability exists in the `frmL7ImForm` function handling HTTP POST requests to `/goform/L7Im` on Tenda F456 firmware 1.0.0.5. Insufficient bounds checking on the `page` parameter allows stack-based or heap-based buffer overflow, potentially enabling remote code execution with privileges of the web server process. The attack requires network connectivity to the router's web interface and valid low-privilege credentials or session. CVSS 4.0 scoring: Attack Vector (AV): Network, Attack Complexity (AC): Low, Attack Requirements (AT): None, Privileges Required (PR): Low, User Interaction (UI): None, Confidentiality Impact (VC): High, Integrity Impact (VI): High, Availability Impact (VA): High, Exploit Maturity (E): Proof-of-concept.

Defensive priority

HIGH

Recommended defensive actions

  • Segment or restrict network access to Tenda F456 router management interfaces; disable remote administration if enabled
  • Monitor for anomalous HTTP requests to `/goform/L7Im` containing oversized `page` parameters
  • Apply firmware updates from Tenda when available; verify version exceeds 1.0.0.5
  • Consider replacing device if vendor patch timeline is unacceptable given public exploit availability
  • Review device placement in network architecture; isolate from critical assets

Evidence notes

Vulnerability confirmed via Vuldb CNA submission with public proof-of-concept. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction. Weaknesses mapped to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input). Vendor attribution to Tenda based on reference domain evidence with low confidence; product identification from vulnerability description.

Official resources

Public exploit disclosed 2026-05-24; no confirmed patch available