HIGH 7.5

CVE-2026-36816: Tenda W15E Buffer Overflow DoS Vulnerability

A buffer overflow vulnerability has been discovered in Tenda W15E router firmware version 15.11.0.10. The flaw exists in how the device handles user input for a Wi-Fi whitelist feature, allowing an attacker to send a specially crafted web request that crashes the router and temporarily takes it offline. No authentication is required to trigger this issue, and the attacker does not need to be on the local network—they can attempt it remotely over the internet.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the wewifiWhiteUserInfo parameter of the formAddWewifiWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36816 is a classic buffer overflow (CWE-120) in the formAddWewifiWhiteUser function of the Tenda W15E v15.11.0.10 firmware. The wewifiWhiteUserInfo parameter fails to properly validate input length before copying data into a fixed-size buffer, enabling stack-based memory corruption. The vulnerability carries a CVSS v3.1 score of 7.5 (HIGH), reflecting a network-accessible, unauthenticated denial-of-service condition. The attack vector is network-based with low complexity and no user interaction required.

Business impact

Organizations relying on Tenda W15E routers for network access face intermittent service outages if this vulnerability is exploited. An attacker can remotely disable the device without administrative credentials, disrupting connectivity for all users depending on that access point. In managed service provider (MSP) or small-to-medium business environments where these devices are prevalent, such outages can cascade across multiple customer locations if not promptly patched. The vulnerability does not enable data exfiltration or unauthorized access—its impact is strictly availability.

Affected systems

Tenda W15E firmware version 15.11.0.10 is confirmed vulnerable. Users should verify whether their devices are running this specific firmware version via the router's web interface or management console. Other firmware versions of the Tenda W15E and different Tenda models require independent verification against vendor advisories to determine exposure. Given the age and widespread deployment of budget-segment routers, affected user bases may be substantial but fragmented across small deployments.

Exploitability

Exploitation is straightforward and requires only the ability to send a malformed HTTP request to the router's web interface. No special tools, authentication, or local network access are necessary—an attacker on the internet can craft the exploit. The low barrier to entry means opportunistic scanning and exploitation are likely if public proof-of-concept code emerges. However, active exploitation in the wild is not currently documented in the KEV catalog, suggesting limited immediate real-world abuse.

Remediation

The primary remediation is to upgrade the Tenda W15E firmware to a patched version released by Shenzhen Tenda Technology Co., Ltd. Check the vendor's support page or product documentation for available firmware updates beyond v15.11.0.10. As an interim measure, restricting access to the router's web management interface via firewall rules, disabling remote management, and segmenting administrative access to trusted networks can reduce exposure. Firmware patching should be prioritized, as workarounds are limited.

Patch guidance

Contact Shenzhen Tenda Technology Co., Ltd or visit their official support site to confirm the availability and version number of patched firmware for the W15E model. Firmware updates typically can be applied through the router's web interface under System Settings or Administration. Test the update in a non-critical environment first if possible. After patching, verify router functionality and reconnect client devices. Maintain a record of applied patches for compliance and audit purposes.

Detection guidance

Monitor router logs for unusual HTTP requests to the formAddWewifiWhiteUser endpoint or requests containing unexpectedly long payloads in the wewifiWhiteUserInfo parameter. Network intrusion detection systems (IDS) can be tuned to flag oversized POST requests to Tenda W15E management interfaces. Firmware version auditing across deployed routers will help identify vulnerable instances. Since the vulnerability causes a denial-of-service condition, monitor for unexpected router reboots or connectivity loss that may indicate exploitation attempts.

Why prioritize this

Although the CVSS score is 7.5 (HIGH), the impact is limited to availability and the vulnerability is not yet in the CISA KEV catalog. Organizations should prioritize this based on device deployment count: if Tenda W15E routers are not critical to your infrastructure or are deployed in limited numbers, it can be addressed in a standard monthly patch cycle. However, MSPs, ISPs, and enterprises managing many of these devices should treat it as medium-to-high priority due to the potential for widespread simultaneous outages if exploited at scale.

Risk score, explained

The CVSS 7.5 (HIGH) reflects the combination of a network-accessible attack vector, zero authentication requirements, low attack complexity, and guaranteed availability impact. The score does not account for the lack of confidentiality or integrity compromise, which keeps it below the CRITICAL threshold. Real-world risk depends on device deployment density and criticality; a single home user faces minimal business impact, while a hotel chain or campus network with dozens of Tenda W15E access points faces elevated risk of coordinated disruption.

Frequently asked questions

Does this vulnerability allow an attacker to access my router settings or steal data?

No. This buffer overflow triggers a denial-of-service condition that crashes the router, but it does not grant authentication or enable data exfiltration. An attacker cannot read stored Wi-Fi passwords, view connected devices, or modify configurations. The only damage is temporary unavailability.

Do I need to be connected to the router's Wi-Fi network to exploit this?

No. The vulnerability exists in the web management interface, which in many router configurations is accessible from the internet if remote management is enabled. An attacker can send the malicious request remotely. If your router's management interface is only accessible from the local network, risk is significantly reduced.

Is there a public exploit for CVE-2026-36816?

The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild is not yet documented. However, as a straightforward buffer overflow with a clear attack vector, exploit code could emerge quickly. Monitor security feeds and patch as soon as possible.

What should I do if I cannot patch immediately?

Disable remote management on the router if it is enabled, and use a firewall rule to restrict access to the management interface (typically port 80 or 443) to only trusted internal IP addresses. Ensure the device is not exposed directly to the internet. This reduces exploitability while you plan and execute the firmware update.

This analysis is provided for educational and informational purposes only. The information herein is derived from public vulnerability disclosures and does not constitute professional security advice. Organizations should consult vendor advisories and conduct independent testing before deploying patches. SEC.co makes no warranty regarding the accuracy, completeness, or applicability of this information to specific environments. Security decisions should be made in consultation with qualified security professionals and risk management stakeholders. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).