HIGH 7.5

CVE-2026-36806: Tenda W15E Router Buffer Overflow Vulnerability (CVSS 7.5)

Tenda W15E routers running firmware version 15.11.0.10 contain a buffer overflow vulnerability in the web authentication function. An attacker on the network can send a specially crafted HTTP request to trigger this flaw, crashing the device and disrupting service. No authentication is required to exploit this issue, and it affects the router's availability rather than confidentiality or integrity.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthUserPwd parameter of the formModifyWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36806 is a stack-based buffer overflow (CWE-121) in the formModifyWebAuthUser function of Tenda W15E firmware 15.11.0.10. The vulnerability exists in the webAuthUserPwd parameter handling, which does not properly validate input length before writing to a fixed-size buffer. An unauthenticated remote attacker can exploit this via a crafted HTTP POST request to cause memory corruption and crash the device, resulting in denial of service. The attack requires no authentication or user interaction.

Business impact

An exploited buffer overflow on edge networking devices like the Tenda W15E can disrupt connectivity for entire branch offices, small businesses, or home networks. Organizations relying on these routers for WAN access face potential downtime until the device is manually rebooted or replaced. If the device is remote or managed through the affected firmware interface, recovery may be time-consuming. The vulnerability does not enable data exfiltration or system compromise, but the availability impact can cascade to dependent business operations.

Affected systems

Tenda W15E router firmware version 15.11.0.10 is confirmed vulnerable. Organizations should verify whether they operate this exact firmware build and check Tenda's official firmware distribution channels for applicable updates. Tenda routers with similar authentication handling code in other versions may warrant testing, but only version 15.11.0.10 has been verified as affected.

Exploitability

This vulnerability has a CVSS 3.1 score of 7.5 (HIGH severity) due to network accessibility, low complexity of exploitation, and no requirement for authentication or user interaction. The attacker needs only to craft an HTTP request with an oversized webAuthUserPwd value and send it to the router's web interface. However, it does not currently appear on the CISA KEV catalog, suggesting either limited real-world exploitation or recent disclosure. The barrier to weaponization is low; scripts can be trivially created to trigger the crash.

Remediation

Organizations should contact Tenda support or check their official security advisories for a firmware update addressing this buffer overflow. If a patched firmware version is available, upgrade the W15E immediately. Until an update is available, consider restricting web interface access to trusted IP ranges using firewall rules, disabling remote management if not required, or isolating affected routers to lower-risk network segments. A reboot restores functionality but does not fix the underlying flaw.

Patch guidance

Check Tenda's official support portal and security advisories for firmware versions released after 15.11.0.10 for the W15E model. Upgrade instructions are typically provided via Tenda's web interface or manual firmware upload process. Before applying any update, verify the firmware file's authenticity and back up current configuration. Test the patched firmware in a lab environment if possible to ensure it does not introduce compatibility issues. After upgrade, confirm that the device functions correctly and that no configuration drift has occurred.

Detection guidance

Monitor web server logs on affected routers for HTTP requests with unusually long values in the webAuthUserPwd parameter or malformed POST requests to the formModifyWebAuthUser endpoint. Intrusion detection systems can be configured to flag payloads exceeding typical password length thresholds on port 80/443 targeting the router's web interface. Network telemetry showing unexpected router crashes or restarts without manual intervention may indicate exploitation attempts. Implement logging retention and alerting for administrator access to the router's web console to detect scanning or reconnaissance activity.

Why prioritize this

While the CVSS score is HIGH (7.5) and the attack surface is network-accessible, the vulnerability is currently not leveraged at scale (not on CISA KEV). However, the ease of exploitation and potential for widespread disruption in environments with many Tenda W15E deployments warrants prompt patching. Organizations should prioritize this based on asset inventory: devices exposed to untrusted networks or the internet merit faster remediation than those isolated on trusted internal segments.

Risk score, explained

CVSS 3.1 base score of 7.5 reflects: (1) network vector—remote exploitation requires no proximity; (2) low attack complexity—no special conditions or timing; (3) no privileges required; (4) no user interaction; (5) high impact to availability (device crash). The score does not account for the fact that exploitation affects only the target device and not downstream systems, or that rebooting restores service. Real-world risk depends on deployment context and whether the router is customer-facing or critical to operations.

Frequently asked questions

How can I tell if my Tenda W15E is vulnerable?

Check your current firmware version in the router's web interface (typically under System Settings or Administration). If it shows version 15.11.0.10 or earlier and Tenda has released a patch, your device is vulnerable. You can also contact Tenda support with your exact model and firmware version for confirmation.

Can this vulnerability allow an attacker to steal my passwords or WiFi keys?

No. This buffer overflow causes denial of service (crashing the router) but does not enable data exfiltration or bypass of access controls. An attacker cannot use this vulnerability to read stored credentials, intercept traffic, or gain administrative access to the device.

Is a reboot a permanent fix?

No. Rebooting the router restores functionality temporarily, but the underlying buffer overflow remains present in the firmware. The device will crash again if exploited. A permanent fix requires applying a patched firmware version from Tenda.

What should I do if I can't update my router right away?

As an interim measure: (1) restrict access to the router's web interface to trusted internal IPs only using your firewall; (2) disable remote management features if not required; (3) monitor for unexpected router restarts; (4) prioritize the update within your change management process. These steps reduce attack surface but do not eliminate the vulnerability.

This analysis is based on available vulnerability data as of the publication date. Organizations should verify all patch version numbers and deployment guidance directly with Tenda's official security advisories and support channels before applying updates. Exploitation scenarios and risk assessments are general and should be tailored to your specific network architecture and asset inventory. SEC.co does not warrant the accuracy of vendor responses or patch timelines. Always test updates in a non-production environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).