Tenda F456 Buffer Overflow (CVE-2026-7031) Publicly Exploitable
The National Vulnerability Database has disclosed CVE-2026-7031, a high-severity buffer overflow affecting Tenda F456 1.0.0.5 routers. This vulnerability resides in the fromSafeMacFilter function within the /goform/SafeMacFilter file and can be triggered by manipulating the page argument. It carries a CVSSv3.1 score of 8.8 (High).
This is a critical issue because the exploit is now public, making these devices immediate targets for remote attackers. The vulnerability allows for high impact on confidentiality, integrity, and availability, essentially granting an attacker significant control over the affected router. The attack vector is network-based with low privileges required.
For defenders, this means any Tenda F456 1.0.0.5 devices on your network are at severe risk. Attackers will leverage this public exploit to gain initial access, establish persistence, or pivot deeper into networks. The low complexity and remote vector make it an attractive target for opportunistic scanning and exploitation.
What This Means For You
- If your organization utilizes Tenda F456 1.0.0.5 routers, you must identify and isolate these devices immediately. Given the public exploit, assume compromise and conduct forensic analysis if these devices are internet-facing. Prioritize replacement or secure segmentation until a patch is available, as this is a direct gateway for remote attackers.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Tenda F456 SafeMacFilter Buffer Overflow Attempt - CVE-2026-7031
title: Tenda F456 SafeMacFilter Buffer Overflow Attempt - CVE-2026-7031
id: scw-2026-04-26-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit the CVE-2026-7031 vulnerability in Tenda F456 routers. This rule specifically looks for POST requests targeting the /goform/SafeMacFilter endpoint with a 'page=' parameter, which is indicative of the buffer overflow exploit targeting the function fromSafeMacFilter.
author: SCW Feed Engine (AI-generated)
date: 2026-04-26
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7031/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/goform/SafeMacFilter'
cs-uri-query|contains:
- 'page='
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7031 | Buffer Overflow | Tenda F456 version 1.0.0.5 |
| CVE-2026-7031 | Buffer Overflow | Vulnerable function: fromSafeMacFilter |
| CVE-2026-7031 | Buffer Overflow | Vulnerable file: /goform/SafeMacFilter |
| CVE-2026-7031 | Buffer Overflow | Vulnerable argument: page |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 26, 2026 at 13:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7039: tufantunc ssh-mcp Local Command Injection Exposed
CVE-2026-7039 — A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts....
CVE-2026-7037: Totolink A8000RU Critical OS Command Injection
CVE-2026-7037 — A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component...
Tenda i9 Path Traversal (CVE-2026-7036) Exposes Networks to Remote Exploitation
CVE-2026-7036 — A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to...