How is CVE-2026-11503 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the device's HTTP service remotely. Authentication (required): The CVSS vector specifies PR:L, meaning a low-privilege authenticated account on the device is sufficient to reach the vulnerable endpoint. Victim interaction (not-required): No user interaction is needed; the attacker sends a crafted request directly to the endpoint without relying on any victim action. Attack complexity (info): Attack complexity is low (AC:L), meaning the overflow is reliably triggered by a single malformed request with no race conditions or special environmental preconditions.

What is the impact of CVE-2026-11503?

Reads arbitrary data from the device's stack memory, including credentials or session material held in process memory. Writes controlled data beyond the stack buffer, enabling overwrite of return addresses and likely arbitrary code execution on the router. Crashes the affected Wi-Fi configuration service or the entire device, disrupting network connectivity for all clients relying on the router. Full compromise of the device gives an attacker a persistent foothold on the local network segment served by the router.

Back to search

HIGHCVE-2026-11503Published 2026-06-08Modified 2026-06-08CNA VulDB

CVE-2026-11503: Tenda CX12L Wi-Fi Configuration Endpoint fast_setting_wifi_set form_fast_setting_wifi_set stack-based overflow

A security vulnerability has been detected in Tenda CX12L 16.03.53.12. The affected element is the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set of the component Wi-Fi Configuration Endpoint. Such manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the Tenda CX12L router (firmware 16.03.53.12) within the Wi-Fi configuration endpoint at /goform/fast_setting_wifi_set. The vulnerability is reachable over the network by an authenticated attacker who supplies an oversized value to the ssid argument, triggering the overflow in the form_fast_setting_wifi_set function. Successful exploitation gives an attacker full read, write, and denial-of-service capability over the device. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against customer images and firmware layers in connected registries and CI pipelines, including custom-built images that bundle Tenda firmware components.

Available

Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH, v4.0) and can weight it against each customer environment's compliance policy, routing the alert to the appropriate team inbox based on asset criticality and policy thresholds configured within that org.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears upstream. In the meantime, customers can use HarborGuard's compensating-control workflow to flag affected images and apply policy-driven guardrails at the pipeline level.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the device's HTTP service remotely.
AuthenticationRequired
The CVSS vector specifies PR:L, meaning a low-privilege authenticated account on the device is sufficient to reach the vulnerable endpoint.
Victim interactionNot required
No user interaction is needed; the attacker sends a crafted request directly to the endpoint without relying on any victim action.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the overflow is reliably triggered by a single malformed request with no race conditions or special environmental preconditions.

Blast Radius

Reads arbitrary data from the device's stack memory, including credentials or session material held in process memory.
Writes controlled data beyond the stack buffer, enabling overwrite of return addresses and likely arbitrary code execution on the router.
Crashes the affected Wi-Fi configuration service or the entire device, disrupting network connectivity for all clients relying on the router.
Full compromise of the device gives an attacker a persistent foothold on the local network segment served by the router.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-11503, the platform monitors the VulDB advisory and any mirrored feeds on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. While awaiting an upstream patch, customers can apply compensating controls through HarborGuard's policy engine: isolating management interfaces via network-policy rules, blocking external access to the /goform/ endpoint namespace through egress and ingress filtering, and tagging affected images as non-deployable under a compliance policy until remediation is available. When a fix is published, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads automatically.

See how HarborGuard automates this

Affected packages

Tenda / CX12L
16.03.53.12

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified