HIGH 8.8

CVE-2026-11528: Tenda AC18 Stack Buffer Overflow Remote Code Execution

A stack-based buffer overflow vulnerability affects Tenda AC18 running firmware version 15.03.05.05. An attacker with valid login credentials can send a specially crafted request to the web management interface's reboot status endpoint, causing a buffer overflow that could lead to arbitrary code execution on the device. The vulnerability has been publicly disclosed and exploit code is available, increasing the practical risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in Tenda AC18 15.03.05.05. The affected element is the function sub_45304 of the file /goform/getRebootStatus of the component Web Management Interface. The manipulation of the argument callback results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11528 is a stack-based buffer overflow in the Tenda AC18 web management interface. The vulnerability exists in function sub_45304 within the /goform/getRebootStatus endpoint. An unauthenticated remote attacker can manipulate the 'callback' parameter to overflow a stack buffer, potentially achieving code execution with the privileges of the web server process. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

Business impact

Compromise of an affected Tenda AC18 router could grant an attacker complete control over network traffic, DNS settings, and connected device management. This enables lateral movement into enterprise networks, credential theft, malware distribution, and persistent network access. Organizations relying on this device for network perimeter control face significant data exfiltration and business continuity risks. The availability of public exploits dramatically shortens the window before widespread attacks occur.

Affected systems

Tenda AC18 running firmware version 15.03.05.05 is confirmed affected. Organizations should verify whether this model is deployed in their network infrastructure, particularly in remote office, branch, or guest network roles. Other Tenda AC18 firmware versions and related Tenda models should be evaluated against vendor advisory guidance to determine scope of exposure.

Exploitability

The vulnerability requires valid authentication (CVE vector indicates PR:L, low privilege), but public exploit code is already available. The attack vector is network-based with no user interaction required. These factors combine to create a high exploitability profile. Attackers with basic network access can attempt exploitation once they obtain valid credentials through other compromise vectors or default credentials.

Remediation

Upgrade Tenda AC18 devices to a patched firmware version as soon as a security update is available from Tenda. Until patching is possible, apply network controls to restrict access to the web management interface (port 80/443) to trusted administrator IP ranges only. Disable remote management features if not actively required. Consider temporarily segmenting affected devices to isolated network segments pending vendor updates.

Patch guidance

Contact Tenda support or check the official Tenda support portal for firmware updates addressing CVE-2026-11528. Verify the specific firmware version of your AC18 devices before patching (accessible via the web interface or device administration panel). Test patches in a non-production environment first. Coordinate patching across your organization to minimize service disruption. If no patch is available within your risk tolerance window, implement compensating controls as described in remediation guidance.

Detection guidance

Monitor web server logs on affected Tenda AC18 devices for requests to /goform/getRebootStatus with unusual or malformed 'callback' parameter values. Look for stack-based crash indicators or unexpected process restarts on the device. Network-level detection should focus on identifying login attempts to the web management interface followed by suspicious parameter manipulation. Intrusion detection systems may benefit from rules monitoring for stack-overflow exploitation patterns against this specific endpoint.

Why prioritize this

This vulnerability scores 8.8 (HIGH) and combines multiple high-risk factors: authenticated remote code execution capability, publicly available exploit code, direct impact on network infrastructure devices, and relatively straightforward attack preconditions. Organizations should prioritize patching or implementing compensating controls within days, not weeks, particularly if AC18 devices have any exposure to untrusted networks or high-value network positions.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects high severity across multiple dimensions. The network attack vector (AV:N) and low attack complexity (AC:L) make exploitation feasible for moderately skilled attackers. Although the vulnerability requires low privilege (PR:L), this is frequently achievable through credential compromise or default password scenarios. The impact scope is unchanged (S:U) with high confidentiality, integrity, and availability impact (C:H/I:H/A:H), indicating complete system compromise is possible. The public availability of exploit code elevates the practical risk beyond the numerical score.

Frequently asked questions

Do I need valid login credentials to exploit this vulnerability?

Yes, the vulnerability requires low-privilege authentication to the web management interface. However, this prerequisite should not be underestimated—many Tenda devices ship with default credentials or weak passwords that are easily compromised. Additionally, credential stuffing or prior network reconnaissance may provide attackers with valid login material.

Is this vulnerability currently being exploited in the wild?

The vulnerability has been publicly disclosed and exploit code is available. While we cannot confirm widespread active exploitation at this moment, the availability of public exploits means opportunistic attackers and automated scanning tools will likely target this vulnerability shortly. Organizations should assume exploitation attempts will occur.

What are my options if a firmware patch is not yet available?

Implement immediate network segmentation to restrict web management interface access to known administrator IP ranges only. Disable remote management if possible. Monitor for suspicious activity on affected devices. Establish a timeline with Tenda for patch availability. If the device is critical and patching is delayed, consider replacing it with an alternative that has received security updates.

Could this affect other Tenda router models?

This specific vulnerability is confirmed in Tenda AC18 firmware 15.03.05.05. Related models or other firmware versions may have similar vulnerabilities, but should not be assumed affected without vendor confirmation. Check Tenda's official security advisory and advisory pages for related model guidance.

This analysis is provided for informational purposes and should not be construed as legal or compliance advice. Organizations are responsible for assessing the applicability of this vulnerability to their infrastructure and implementing appropriate remediation measures in accordance with their risk management policies. Patch availability, timelines, and specific version numbers should be verified directly with Tenda's official channels before deployment. SEC.co does not confirm the accuracy of exploit code or the completeness of vendor advisories and recommends independent security review before taking action. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).