HIGH 8.8

CVE-2026-11504: Tenda CX12L Stack Buffer Overflow in Wi-Fi Scheduler

A stack-based buffer overflow vulnerability exists in Tenda CX12L routers running firmware version 16.03.53.12. The flaw is in the Wi-Fi scheduling feature and can be exploited by authenticated users to corrupt memory and potentially execute arbitrary code. An attacker with valid login credentials can send specially crafted scheduling parameters that overflow a buffer, compromising the router's confidentiality, integrity, and availability. Public exploit code has emerged, increasing active risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in Tenda CX12L 16.03.53.12. The impacted element is the function setSchedWifi of the file /goform/openSchedWifi of the component Wi-Fi Schedule Configuration Endpoint. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11504 is a stack-based buffer overflow (CWE-119, CWE-121) in the setSchedWifi function of the Wi-Fi Schedule Configuration endpoint (/goform/openSchedWifi) in Tenda CX12L firmware 16.03.53.12. The vulnerability is triggered when the schedStartTime or schedEndTime parameters exceed expected buffer boundaries, enabling stack memory corruption. The attack requires network access and valid authentication (user-level privileges), but no user interaction. The resulting memory corruption can lead to information disclosure, code execution, or denial of service depending on exploitation technique.

Business impact

Router compromise via this vulnerability enables attackers to intercept or manipulate network traffic, disrupt internet connectivity for connected devices, establish persistent backdoors, or pivot into internal networks. For organizations or individuals relying on this router for critical connectivity, a successful exploit can directly impact business continuity, data security, and customer trust. The authentication requirement limits blast radius to users with valid credentials, but many home and small-business routers use weak or unchanged default credentials, lowering this barrier in practice.

Affected systems

Tenda CX12L routers with firmware version 16.03.53.12 are confirmed affected. Organizations and users should verify their firmware version immediately. Check the router's admin panel or firmware update interface for the current installed version. Tenda may have released patches or later firmware builds; consult the vendor's security advisories to determine which versions are patched and available for upgrade.

Exploitability

The attack is remotely exploitable over the network and requires only standard user-level authentication—not administrative access. No user interaction or clicks are required. The availability of public exploit code significantly increases practical exploitation risk; attackers can now test and deploy attacks with minimal development effort. The straightforward nature of buffer overflows in firmware means that even non-expert threat actors can weaponize existing proofs-of-concept, making rapid mass exploitation likely.

Remediation

Upgrade Tenda CX12L firmware to a patched version as soon as possible. Tenda has published or will publish security advisories detailing available patches; consult their official security bulletin or support portal for the specific build numbers. In the interim, restrict administrative access to the router's web interface, enforce strong authentication credentials (avoid defaults), and segment the router's management interface behind a firewall or VPN if operationally feasible. Monitor router logs for suspicious access attempts or configuration changes.

Patch guidance

Contact Tenda directly or visit their official support website to identify and download patched firmware for the CX12L model. Firmware updates should be applied via the router's standard update mechanism (Settings > Firmware Update). Before upgrading, back up any custom configuration. Test the update in a non-production environment if available. Verify successful installation by confirming the new firmware version in the admin panel. Document the patching date for compliance and incident response records.

Detection guidance

Monitor network traffic for POST requests to /goform/openSchedWifi with unusually long or malformed schedStartTime and schedEndTime parameter values. Inspect router logs (if accessible) for failed or suspicious Wi-Fi schedule configuration changes. Implement network segmentation to restrict router management traffic to authorized IP ranges. Deploy intrusion detection rules flagging buffer overflow patterns in router management endpoints. Consider using endpoint detection and response (EDR) on systems connected to the router to identify any anomalous post-compromise behavior.

Why prioritize this

This vulnerability merits high priority due to the combination of network accessibility, low authentication friction (user-level access often easily obtained), public exploit availability, and potential for code execution. Routers are critical infrastructure for organizational and personal connectivity; their compromise can enable lateral movement into networks, data exfiltration, and persistent access. The CVSS 8.8 HIGH score reflects these factors. Organizations should patch within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects a remotely exploitable stack-based buffer overflow requiring user-level authentication but no user interaction, resulting in high impact to confidentiality, integrity, and availability. The low attack complexity and broad network attack vector, combined with the potential for arbitrary code execution and the public availability of exploit code, justify the elevated severity rating and warrant immediate remediation efforts.

Frequently asked questions

Do I need administrative access to exploit this vulnerability?

No. The vulnerability can be exploited with valid user-level credentials, not administrative access. Many Tenda routers ship with unchanged default credentials, making this barrier even lower in practice.

Is this vulnerability exploited in the wild?

Public exploit code has been released, significantly increasing the risk of active exploitation. Organizations should assume adversaries are actively testing this vulnerability and prioritize patching accordingly.

How do I know if my Tenda CX12L is affected?

Check your router's firmware version (typically visible in Settings > System or Administration). If it is version 16.03.53.12, your device is confirmed vulnerable. Consult Tenda's security advisory to determine if later firmware versions address the flaw.

Can this be exploited without network access?

No. The vulnerability requires network access to the router (either local network or remote access if enabled), but once an attacker has network visibility, they only need valid user credentials to launch an attack.

This analysis is based on publicly available CVE data and vendor disclosures as of June 2026. Specific patch version numbers and availability should be verified against official Tenda security advisories and support channels. No exploit code or weaponized proof-of-concept guidance is provided. Organizations should conduct their own risk assessment and test patches in controlled environments before production deployment. SEC.co makes no warranty regarding the completeness or timeliness of vulnerability information and recommends consulting primary vendor sources for definitive remediation guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).