Tenda F451 Router Stack Overflow: Public Exploit Available

The National Vulnerability Database (NVD) has reported a critical vulnerability, CVE-2026-6137, impacting the Tenda F451 router, specifically version 1.0.0.7_cn_svn7958. This isn’t some theoretical flaw; it’s a stack-based buffer overflow within the fromAdvSetWan function of the /goform/AdvSetWan file. The entry point for this exploit is through manipulating the wanmode/PPPOEPassword argument.

What makes this particularly nasty is its remote exploitability and the fact that a public exploit is already out in the wild. This isn’t a zero-day that’s being quietly traded; it’s now widely accessible, meaning script kiddies and more sophisticated actors alike can leverage it. The NVD assigns it a CVSS score of 8.8 (HIGH), with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, underscoring the severity. It’s a network-attackable vulnerability requiring low privileges, with no user interaction, leading to high confidentiality, integrity, and availability impacts. This is a classic CWE-119 and CWE-121 scenario – a buffer overflow just waiting to be triggered.