How is CVE-2026-51844 exploited?

Network reachability (required): The vulnerable interface is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely. Authentication (not-required): No credentials or session token of any kind are needed to send a malicious request to the affected endpoint. Victim interaction (not-required): The attack is fully server-side and completes without any action from a user or administrator of the device. Attack complexity (info): Exploitation is reliable and condition-free - no race conditions, specific memory layouts, or environmental prerequisites are required.

What is the impact of CVE-2026-51844?

A successful attacker achieves remote code execution on the router, gaining full control over the device. All data passing through or stored on the device, including credentials and session material, is readable by the attacker. The attacker can modify device configuration, routing rules, and persisted settings arbitrarily. The attacker can crash the device or render it permanently unavailable, disrupting all network traffic the router handles.

Back to search

CRITICALCVE-2026-51844Published 2026-06-19Modified 2026-06-22CNA mitre

CVE-2026-51844: Tenda AC7 v15

Tenda AC7 v15.03.06.44 contains a stack buffer overflow vulnerability in the /goform/AdvSetMacMtuWan interface via the cloneType parameter.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow in the Tenda AC7 v15.03.06.44 router firmware allows an unauthenticated attacker to send a crafted request to the /goform/AdvSetMacMtuWan interface with a malicious cloneType parameter value. The vulnerability is reachable over the network and requires no authentication or user interaction to trigger. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the device, enabling remote code execution. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from affected firmware layers. Any image carrying the vulnerable Tenda AC7 v15.03.06.44 components is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weights findings against each customer environment's compliance policy to determine priority and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable interface is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely.
AuthenticationNot required
No credentials or session token of any kind are needed to send a malicious request to the affected endpoint.
Victim interactionNot required
The attack is fully server-side and completes without any action from a user or administrator of the device.
Attack complexityDetail
Exploitation is reliable and condition-free - no race conditions, specific memory layouts, or environmental prerequisites are required.

Blast Radius

A successful attacker achieves remote code execution on the router, gaining full control over the device.
All data passing through or stored on the device, including credentials and session material, is readable by the attacker.
The attacker can modify device configuration, routing rules, and persisted settings arbitrarily.
The attacker can crash the device or render it permanently unavailable, disrupting all network traffic the router handles.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against customer image inventories at CRITICAL severity. Because no upstream fix exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues once a fix is available. In the interim, compensating controls worth considering include network-policy isolation to restrict inbound access to the /goform/ management interface, egress filtering on the router management plane, and disabling the AdvSetMacMtuWan feature via a configuration flag if the firmware permits it. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations directly in the triage workflow for each affected environment.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

kdev.site

Metrics

Get notified