HIGH 7.5

CVE-2026-36789: Tenda AC1206 Stack Overflow DoS Vulnerability

Tenda AC1206 routers running firmware version 15.03.06.23 contain stack overflow vulnerabilities in the DHCP configuration function that can be triggered remotely without authentication. An attacker can send a specially crafted HTTP request with malicious username or password parameters to crash the router, rendering it unavailable until it is manually restarted. This is a network-accessible denial-of-service vulnerability that requires no user interaction or login credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda AC1206 v15.03.06.23 was discovered to contain multiple stack overflows in the fromGstDhcpSetSer function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

Multiple stack overflow vulnerabilities exist in the fromGstDhcpSetSer function within Tenda AC1206 v15.03.06.23 firmware. The vulnerability stems from improper input validation on the username and password parameters passed to the DHCP configuration handler. Stack overflows occur when untrusted user input exceeds the bounds of stack-allocated buffers, allowing an attacker to overwrite the return address or other critical stack structures. The attack is delivered via HTTP, making it remotely exploitable from the network without requiring prior authentication or user interaction, leading to process crash and denial of service.

Business impact

Affected routers become unavailable following a denial-of-service attack, interrupting network connectivity for users and devices relying on that access point. In organizational environments, this could disrupt branch office operations, guest networks, or department-level connectivity depending on the deployment model. The need to physically restart the router to restore service increases mean time to recovery and creates operational friction. While no data breach occurs, the availability impact affects business continuity and could cascade to services dependent on that network segment.

Affected systems

Tenda AC1206 devices running firmware version 15.03.06.23 are confirmed vulnerable. This includes both retail and OEM variants of the AC1206 model distributed globally. Organizations should verify their installed firmware version via the device's web administration interface or physical label. Devices running different firmware versions may also be affected; verification against vendor advisories is recommended to determine the full scope of impacted builds.

Exploitability

The vulnerability is highly exploitable. Attack requirements are minimal: an attacker needs only network-level access to the router (typically available on the same LAN segment or potentially from the internet if the HTTP administration interface is exposed) and the ability to craft a malformed HTTP request. No authentication, user interaction, or client-side action is required. Exploitation is straightforward—a single HTTP POST or GET request with oversized or specially formatted username/password parameters can trigger the stack overflow and crash the device. Public proof-of-concept code does not appear to be widely available, but the attack surface is simple enough that exploitation tools could emerge quickly.

Remediation

Contact Tenda support or visit their firmware download portal to identify and deploy a patched firmware version for the AC1206. Verify the version number after upgrade to confirm the patch has been applied. If a firmware update is not available or your device is end-of-life, consider isolating the router's administration interface from untrusted networks and disabling remote management features if not required for operations. Monitor for unexpected router reboots, which may indicate exploitation attempts.

Patch guidance

Verify the current firmware version on your Tenda AC1206 via the web administration panel (typically accessed at 192.168.0.1 or similar). Document the version number and check the Tenda support website or your regional distributor for available firmware releases newer than v15.03.06.23. Download the firmware from official Tenda channels only. Follow Tenda's documented upgrade procedure—typically this involves uploading the firmware binary through the web interface and allowing the device to reboot. Do not interrupt the upgrade process. After the device reboots, verify the new firmware version and test connectivity. If the device is part of a larger deployment, prioritize upgrades for production access points and implement a phased rollout to minimize disruption.

Detection guidance

Monitor network traffic to the router's HTTP administration port (typically 80 or 8080) for unusual request patterns, particularly POST/GET requests with abnormally long or binary-heavy username or password parameters. Look for router syslog or console messages indicating segmentation faults or unexpected restarts. In managed environments, enable SNMP or syslog collection from the router if available and watch for sudden connection drops followed by reboot events. Intrusion detection systems with updated signatures may flag malformed DHCP configuration requests. Baseline the router's expected reboot schedule—unscheduled or frequent restarts warrant investigation.

Why prioritize this

This vulnerability merits medium-to-high priority remediation because it affects network availability, is remotely exploitable without authentication, and targets a commonly deployed consumer-grade device often found in office and branch networks. The CVSS 7.5 (HIGH) score reflects the ease of exploitation and impact on confidentiality. While the attack does not compromise data confidentiality or integrity, the denial-of-service impact justifies prompt patching, especially for routers in critical network roles. If your organization uses Tenda AC1206 devices, begin inventory and testing immediately. If you do not use this model, verify your router inventory to exclude it from scope.

Risk score, explained

The CVSS v3.1 score of 7.5 (HIGH) reflects network-accessible exploitability (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and no user interaction (UI:N). The vector shows impact only to availability (A:H), with no confidentiality or integrity impact. This scoring appropriately elevates a denial-of-service vulnerability because of its remote, unauthenticated nature and the minimal effort required to trigger it. Organizations should not mistake the absence of confidentiality impact for low risk; network availability is a critical security attribute.

Frequently asked questions

Is my router vulnerable if I am running a newer firmware version?

Vulnerability in v15.03.06.23 is confirmed. Devices running newer versions are assumed patched, but you should verify by checking official Tenda advisories. If in doubt, contact Tenda support or your vendor representative with your exact firmware version.

Do I need to be connected to the router's WiFi network to exploit this vulnerability?

Not necessarily. The vulnerability affects the HTTP administration interface, which may be accessible from the LAN (wired or wireless). If remote management is enabled in the router's settings, the interface could theoretically be exposed to the internet. Check your router's remote management setting and disable it unless explicitly required.

What happens if the router is exploited—will my data be stolen?

This vulnerability causes a denial-of-service (crash/reboot) only. It does not allow data exfiltration, user account compromise, or unauthorized access to your network. However, an attacker could use the availability disruption to force service degradation or deploy follow-on attacks. Patching should still be treated as urgent.

Can I temporarily mitigate the risk without patching?

Temporarily, restrict HTTP access to the router's administration interface to trusted devices and networks only. Disable remote management if it is enabled. However, these are workarounds, not fixes. Patching remains necessary to fully resolve the underlying vulnerability.

This analysis is based on the publicly disclosed vulnerability record for CVE-2026-36789 and vendor advisories current as of the publication date. Patch availability, firmware version numbers, and vendor guidance may change; verify all remediation steps against official Tenda sources before deployment. SEC.co does not warrant the accuracy or completeness of third-party vendor information. Organizations should conduct their own testing in non-production environments before applying patches to critical systems. This intelligence is for informational and defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).