How is CVE-2026-11504 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely. Authentication (required): The attack requires a low-privilege account; any valid user credential on the device is sufficient to reach the vulnerable endpoint. Victim interaction (not-required): No action from a logged-in user or administrator is needed; the attacker triggers the overflow directly by sending a crafted request. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental preconditions.

What is the impact of CVE-2026-11504?

A successful attacker gains the ability to execute arbitrary code on the router, taking full control of the device. Confidential data stored or processed by the device, including Wi-Fi credentials and network configuration, is exposed to the attacker. The attacker can modify router settings, redirect traffic, or disable network controls, tampering with the device's intended behavior. The overflow can crash the affected service or the device entirely, disrupting network connectivity for all clients on the segment.

Back to search

HIGHCVE-2026-11504Published 2026-06-08Modified 2026-06-08CNA VulDB

CVE-2026-11504: Tenda CX12L Wi-Fi Schedule Configuration Endpoint openSchedWifi setSchedWifi stack-based overflow

A vulnerability was detected in Tenda CX12L 16.03.53.12. The impacted element is the function setSchedWifi of the file /goform/openSchedWifi of the component Wi-Fi Schedule Configuration Endpoint. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the Tenda CX12L wireless router (firmware 16.03.53.12) in the setSchedWifi function, reachable via the /goform/openSchedWifi Wi-Fi Schedule Configuration endpoint. An attacker with a low-privilege account can send a crafted schedStartTime or schedEndTime argument over the network to overflow the stack. Successful exploitation gives the attacker full control over the device, including the ability to read sensitive data, tamper with configuration, or crash the service. No fix version has been published; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-11504 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against all customer images, including custom-built images that package Tenda CX12L firmware layers or related components. Any image containing the affected firmware version 16.03.53.12 is flagged automatically at scan time.

Available

Triage

Triage capability is available with a CVSS v4.0 score of 8.7 (HIGH), surfaced alongside per-environment compliance policy weighting so teams can calibrate urgency to their specific risk posture. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

No upstream fix has been published for CVE-2026-11504. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers who opt into auto-remediation, a rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely.
AuthenticationRequired
The attack requires a low-privilege account; any valid user credential on the device is sufficient to reach the vulnerable endpoint.
Victim interactionNot required
No action from a logged-in user or administrator is needed; the attacker triggers the overflow directly by sending a crafted request.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental preconditions.

Blast Radius

A successful attacker gains the ability to execute arbitrary code on the router, taking full control of the device.
Confidential data stored or processed by the device, including Wi-Fi credentials and network configuration, is exposed to the attacker.
The attacker can modify router settings, redirect traffic, or disable network controls, tampering with the device's intended behavior.
The overflow can crash the affected service or the device entirely, disrupting network connectivity for all clients on the segment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11504 is active and will flag any scanned image containing Tenda CX12L firmware version 16.03.53.12 as soon as it appears in a customer registry or CI pipeline. Because no upstream patch exists as of the publication date, HarborGuard monitors the VulDB advisory on every ingest cycle. The moment a fix is released, a patched-image rebuild at the corrected version becomes available; for customers who opt into auto-remediation, this triggers an automated rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the router management interface to trusted subnets only, egress filtering to limit lateral movement if the device is compromised, and disabling the Wi-Fi Schedule Configuration feature via a feature-flag or ACL if it is not operationally required.

See how HarborGuard automates this

Affected packages

Tenda / CX12L
16.03.53.12

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified