PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9431 Tenda CVE debrief

A stack-based buffer overflow vulnerability exists in the Tenda F1202 router firmware version 1.2.0.20(408). The vulnerability is located in the `fromPptpUserAdd` function within the `/goform/PptpUserAdd` endpoint, where improper handling of the `opttype` parameter allows remote attackers to trigger memory corruption. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction needed, resulting in high impacts to confidentiality, integrity, and availability. The vulnerability status is currently marked as 'Deferred' in the NVD, indicating the entry may be awaiting additional analysis or vendor coordination. Public exploit availability is noted, increasing the risk of active exploitation.

Vendor
Tenda
Product
F1202
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Network administrators managing Tenda F1202 deployments, SOHO network operators, managed service providers with router infrastructure, and security teams monitoring IoT/embedded device attack surfaces.

Technical summary

The vulnerability resides in the `fromPptpUserAdd` function handling PPTP user configuration. The `opttype` parameter lacks proper bounds checking, enabling stack-based buffer overflow when processing maliciously crafted requests. Attack vector is network-accessible with authentication bypass potential given low privilege requirements. Memory corruption can lead to arbitrary code execution in the context of the router's management daemon.

Defensive priority

HIGH

Recommended defensive actions

  • Review network segmentation to isolate affected Tenda F1202 devices from untrusted networks
  • Monitor for unauthorized access attempts to `/goform/PptpUserAdd` endpoint
  • Apply firmware updates from Tenda when available, or consider device replacement if patching is not feasible
  • Implement intrusion detection signatures for buffer overflow patterns targeting router management interfaces
  • Disable remote administration features on affected devices if not required for operations

Evidence notes

Vulnerability disclosed via VulDB with technical details published to GitHub. NVD status 'Deferred' suggests ongoing evaluation. CVSS 4.0 scoring applied. CWE-119 and CWE-121 (stack-based buffer overflow) identified as primary weakness types.

Official resources

2026-05-25