HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11524Published Modified CNA VulDB

CVE-2026-11524: Tenda W20E Web Management modifyWifiFilterRules stack-based overflow

A vulnerability has been found in Tenda W20E 15.11.0.6. Impacted is the function modifyWifiFilterRules of the file /goform/modifyWifiFilterRules of the component Web Management Interface. The manipulation of the argument wifiFilterListRemark leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the Tenda W20E router (firmware version 15.11.0.6) within the modifyWifiFilterRules function of the web management interface. The vulnerability is reachable over the network by any authenticated user and is triggered by sending an oversized value in the wifiFilterListRemark argument to the /goform/modifyWifiFilterRules endpoint. Successful exploitation gives an attacker full control of memory execution flow, enabling remote code execution, data disclosure, or complete service disruption on the device. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-11524 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against all customer images, including custom-built firmware and embedded-Linux container images derived from affected Tenda components. Any image in a connected registry or CI/CD pipeline that carries the affected Tenda W20E 15.11.0.6 component is flagged automatically.

Available
Triage

Triage is available with a CVSS v4.0 score of 8.7 (HIGH), weighted against each customer environment's compliance policy to prioritize findings that are exposed in internet-facing or production-tier workloads. Routed alerts reach the appropriate team inbox based on per-org routing rules, so the right engineers see this finding without manual filtering.

Available
Patch

Because no upstream fix version has been published for CVE-2026-11524, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Tenda releases a corrected firmware or the CNA records a fix version. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without any manual intervention once a fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network through the web management interface, so an attacker must be able to reach the device's HTTP/HTTPS management port.

  • AuthenticationRequired

    The CVSS vector specifies low-privilege credentials (PR:L), meaning any valid low-privilege account on the management interface is sufficient to send the malicious request.

  • Victim interactionNot required

    No user interaction is needed; the attacker sends a crafted HTTP request directly to the endpoint without requiring any action from another user.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental configuration beyond reaching the endpoint with valid credentials.

Blast Radius

  • Reads configuration data, credentials, and any secrets stored in the device memory or management interface session (VC:H).
  • Modifies device configuration, Wi-Fi filter rules, and network policy settings persisted on the router (VI:H).
  • Crashes the web management service or the underlying device firmware, causing a loss of management access and potential network outage (VA:H).
  • Enables arbitrary code execution in the router's process context, allowing an attacker to install persistent backdoors or pivot to adjacent network segments managed by the device.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11524 is active across all connected registries and pipelines, matching images against the affected Tenda W20E 15.11.0.6 component signature. Because no vendor patch exists yet, HarborGuard monitors the VulDB advisory and the Tenda vendor feed on every ingest cycle. As compensating controls, customers can apply network-policy isolation to restrict management-interface access to trusted administrator source IPs only, enforce egress filtering to limit lateral movement from the device, and gate web management exposure behind a VPN or jump host. For customers who opt into auto-remediation, the moment an upstream fix version is published, HarborGuard will trigger a patched-image rebuild, run regression tests, and open a PR against affected workloads automatically. The median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled, once a fix is available upstream.

See how HarborGuard automates this
Affected packages
  • Tenda / W20E
    15.11.0.6
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References