CVE-2026-51846: In Tenda AC7 v15
In Tenda AC7 v15.03.06.44, the wanSpeed parameter of the route /goform/AdvSetMacMtuWan has a stack buffer overflow vulnerability that can lead to remote arbitrary code execution.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A stack-based buffer overflow in the Tenda AC7 v15.03.06.44 firmware allows an unauthenticated attacker to reach the vulnerable endpoint over the network by sending a crafted wanSpeed parameter to the /goform/AdvSetMacMtuWan route. No login or user interaction is required. Successful exploitation gives the attacker full remote code execution on the device. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle this firmware or derivative packages.
AvailableHarborGuard scores this finding at CVSS 9.8 (Critical) and is capable of weighting it against each customer organization's compliance policy to determine escalation priority; routing to the appropriate team inbox is handled automatically based on per-environment configuration.
AvailableBecause no upstream fix version exists yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is published. In the interim, the finding remains open and visible in the affected environment's vulnerability dashboard.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the device's web interface over the network; the vulnerable route is exposed via the HTTP management service.
- AuthenticationNot required
No credentials are needed; the /goform/AdvSetMacMtuWan endpoint is reachable without any prior authentication.
- Victim interactionNot required
The attacker sends a crafted request directly to the device; no user action or social engineering is involved.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or memory-layout dependencies.
Blast Radius
- The attacker executes arbitrary code on the device with the privilege level of the firmware process, giving full control of the router.
- Network traffic routed through the device can be intercepted, redirected, or inspected, exposing all connected clients.
- Persistent configuration changes can be made, including adding rogue accounts, altering DNS settings, or disabling firewall rules.
- The device can be crashed or rendered unresponsive, cutting off network access for all downstream hosts.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-51846 is active and will flag any image in a customer registry or pipeline that includes the affected Tenda AC7 v15.03.06.44 firmware components. Because no upstream patch exists at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is published. For environments with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention once an upstream fix is available. In the meantime, compensating controls worth considering include network-policy rules that restrict access to the device management interface to trusted subnets only, egress filtering to limit lateral movement if the device is compromised, and disabling remote management features where they are not operationally required.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H