How is CVE-2026-11522 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the device's HTTP service remotely. Authentication (required): A low-privilege account is sufficient; no administrative credentials are needed to reach the formSetPortMirror function. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends a crafted request directly to the endpoint. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

What is the impact of CVE-2026-11522?

A successful attacker reads sensitive configuration data and credentials stored on the device. The attacker can write arbitrary data to the stack, enabling control of the device's execution flow and full compromise of the router. The affected service crashes if the overflow is not precisely controlled, causing a denial of service for all traffic the router handles. Because the overflow affects the router's management process, all network traffic flowing through the device is exposed to interception or manipulation after compromise.

Back to search

HIGHCVE-2026-11522Published 2026-06-08Modified 2026-06-08CNA VulDB

CVE-2026-11522: Tenda W20E setPortMirror formSetPortMirror stack-based overflow

A vulnerability was detected in Tenda W20E 15.11.0.6. This vulnerability affects the function formSetPortMirror of the file /goform/setPortMirror. Performing a manipulation of the argument portMirrorMirroredPorts results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the Tenda W20E router (firmware version 15.11.0.6) in the formSetPortMirror function, reachable via a crafted HTTP request to the /goform/setPortMirror endpoint. The vulnerability requires a low-privilege account and is exploitable over the network with no victim interaction needed. Successful exploitation gives an attacker full read and write access to the device and can crash or take over the running system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including VulDB, within minutes of publication and matched against all customer images, including custom-built images that bundle Tenda W20E firmware or related components. Any image containing the affected version is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.7 HIGH (CVSS v4.0) and weighting it further against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on asset ownership and policy configuration.

Available

Patch

Because no fix version has been published for CVE-2026-11522, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version appears.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the device's HTTP service remotely.
AuthenticationRequired
A low-privilege account is sufficient; no administrative credentials are needed to reach the formSetPortMirror function.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends a crafted request directly to the endpoint.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

Blast Radius

A successful attacker reads sensitive configuration data and credentials stored on the device.
The attacker can write arbitrary data to the stack, enabling control of the device's execution flow and full compromise of the router.
The affected service crashes if the overflow is not precisely controlled, causing a denial of service for all traffic the router handles.
Because the overflow affects the router's management process, all network traffic flowing through the device is exposed to interception or manipulation after compromise.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11522 is active across all customer environments, matching images that bundle the affected Tenda W20E firmware component. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression run and PR against affected workloads the moment Tenda ships a fix. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the device's HTTP management interface to trusted source IPs only, egress filtering to limit lateral movement in the event of compromise, and disabling the port-mirroring feature via a separate policy flag if it is not operationally required.

See how HarborGuard automates this

Affected packages

Tenda / W20E
15.11.0.6

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified