HIGH 7.5

CVE-2026-36809: Tenda W15E Buffer Overflow Denial of Service Vulnerability

A buffer overflow vulnerability exists in Tenda W15E router firmware version 15.11.0.10. The flaw is located in the web authentication configuration function and can be triggered by sending a specially crafted HTTP request to the webAuthWhiteID parameter. An attacker on the network can exploit this to crash the router, causing a denial of service. No authentication is required, and the attack can be performed remotely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteID parameter of the formModifyWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36809 is a classic buffer overflow (CWE-120) in the formModifyWebAuthWhiteUser function of Tenda W15E firmware v15.11.0.10. The vulnerability stems from improper bounds checking on the webAuthWhiteID parameter in HTTP requests destined for the device's web interface. When an oversized payload is sent to this parameter, it overwrites adjacent memory, corrupting the process state and triggering a crash. The CVSS 3.1 score of 7.5 reflects the high availability impact and ease of exploitation (network-accessible, no authentication, low complexity).

Business impact

Affected organizations using Tenda W15E routers face potential internet outages if an attacker floods the device with malicious requests. This is particularly disruptive for small businesses or remote offices relying on these consumer-grade routers as primary gateways. While the vulnerability does not enable data theft or system compromise, repeated exploitation could be weaponized as part of a broader denial-of-service campaign or used to disrupt business continuity during a critical period.

Affected systems

Tenda W15E firmware version 15.11.0.10 is confirmed vulnerable. Organizations should check whether this specific firmware version is deployed in their environment. Tenda has not disclosed a confirmed list of end-of-life or extended support status for this model; verify the vendor's security advisory for information on affected firmware branches and upgrade paths.

Exploitability

This vulnerability is straightforward to exploit. No authentication, special privileges, or user interaction are required—an attacker simply sends a crafted HTTP POST or GET request with an oversized webAuthWhiteID parameter. The attack is reproducible and does not depend on timing, race conditions, or environmental factors. The barrier to exploitation is low, making this a practical threat in environments where the router is exposed to untrusted networks.

Remediation

Upgrade Tenda W15E firmware to a patched version released after 2026-06-09. Consult the Tenda security advisory or product support page to identify the correct firmware build. As an interim measure, restrict HTTP access to the router's web interface using network-level firewall rules, limiting management traffic to trusted IP ranges or VPNs. Disable remote management features if not actively required.

Patch guidance

Check Tenda's official support portal and security advisories for the latest firmware version addressing CVE-2026-36809. Firmware updates for consumer routers are typically deployed via the device's web interface (Administration > System Tools > Firmware Upgrade) or through an automatic update mechanism if enabled. Verify the integrity of downloaded firmware using checksums or digital signatures provided by Tenda. Test the patched firmware in a non-production environment first if possible. Document the update for compliance and change management records.

Detection guidance

Monitor HTTP access logs for requests containing suspicious webAuthWhiteID parameter values, particularly those with unusually long payloads or non-printable characters. Intrusion detection systems (IDS) should be configured to alert on buffer overflow attack patterns targeting web interfaces. Network segmentation and device health monitoring (e.g., reboot events, CPU spikes) can reveal exploitation attempts. Log failed authentication or configuration change attempts on the router for forensic review.

Why prioritize this

This vulnerability merits prompt attention due to its high CVSS score (7.5), ease of exploitation, and the critical role routers play in network infrastructure. Although it does not enable unauthorized access, denial of service against a gateway device can have outsized business impact. The lack of exploit complexity and authentication requirements mean the threat window is wide. Organizations should prioritize patching if W15E devices are in production, particularly in environments exposed to the internet or untrusted networks.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability with no authentication requirement, low attack complexity, and direct impact on availability. The lack of confidentiality or integrity impact limits the score from the 9+ range, but the immediate and reliable denial-of-service capability justifies the elevated severity. Risk in your environment may be higher if routers are internet-facing or lower if strictly internal-only.

Frequently asked questions

Can this vulnerability be exploited remotely without being on the same network as the router?

Yes. If the router's web interface is exposed to the internet (a common misconfiguration in small office setups), the vulnerability can be exploited from anywhere. If the web interface is restricted to the local network only, the attacker must be on the same network segment or have network access to reach it.

Does this vulnerability allow an attacker to steal data or gain administrative access?

No. The vulnerability causes only a denial of service (crash). It does not enable data exfiltration, password theft, or unauthorized administrative access. An attacker cannot modify router settings, intercept traffic, or compromise connected devices through this flaw alone.

Are other Tenda router models affected?

The vulnerability is confirmed only in W15E firmware v15.11.0.10. Other Tenda models may have similar code paths and could be vulnerable, but without vendor confirmation, you should treat them as unaffected unless an advisory specifically names them. Contact Tenda support if you operate other Tenda devices.

What should I do if I cannot upgrade immediately?

Immediately restrict HTTP access to the router's web interface using firewall rules, allowing only trusted management IPs or VPN connections. Disable remote management if enabled. Monitor the device for unexpected reboots or availability issues. Develop a patch timeline within your change management process and prioritize this update in your next maintenance window.

This analysis is provided for informational purposes and reflects publicly available information as of the publication and modification dates listed. SEC.co makes no warranty regarding the completeness or accuracy of patch availability, vendor timelines, or affected product lists beyond what is explicitly stated in official vendor advisories. Organizations must verify compatibility and test patches in their specific environment before production deployment. Exploit code development, sale, or use of this information for unauthorized access is illegal. Consult official Tenda security advisories and your internal security team for authoritative guidance on your infrastructure. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).