PatchSiren cyber security CVE debrief
CVE-2026-9428 Tenda CVE debrief
A stack-based buffer overflow vulnerability exists in the Tenda F1202 router firmware version 1.2.0.20(408). The vulnerability is located in the `fromPPTPUserSetting` function within the `/goform/PPTPUserSetting` endpoint. Remote attackers can exploit this by manipulating the `delno` argument to trigger memory corruption. The CVSS 4.0 score of 7.4 (HIGH) reflects network attack vector, low attack complexity, and required privileges, with high impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed, increasing the risk of active exploitation. The CVE was published on 2026-05-25 and last modified on 2026-05-26.
- Vendor
- Tenda
- Product
- F1202
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Network administrators managing Tenda F1202 deployments, SOHO network operators, MSSPs monitoring consumer-grade router vulnerabilities, and security teams responsible for edge network device hardening
Technical summary
The vulnerability resides in the `fromPPTPUserSetting` function handling HTTP POST requests to `/goform/PPTPUserSetting`. Insufficient bounds checking on the `delno` parameter allows attacker-controlled data to overflow stack-allocated buffers. Successful exploitation may result in arbitrary code execution with elevated privileges on the router's embedded system. The attack requires network access and valid credentials (PR:L per CVSS vector), though the public exploit availability suggests weaponization risk.
Defensive priority
HIGH
Recommended defensive actions
- Restrict network access to Tenda F1202 router administrative interfaces, particularly the /goform/PPTPUserSetting endpoint
- Apply firmware updates from Tenda if available; monitor vendor security advisories at official Tenda channels
- Implement network segmentation to isolate affected routers from untrusted networks
- Consider disabling PPTP VPN functionality if not required for business operations
- Monitor for suspicious requests to /goform/PPTPUserSetting with anomalous delno parameter values
- Review logs for signs of exploitation attempts targeting the fromPPTPUserSetting function
Evidence notes
Vulnerability identified through Vuldb submission 813911. CWE-121 (Stack-based Buffer Overflow) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) assigned. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/E:P.
Official resources
Public exploit disclosure confirmed via Vuldb references