Tenda F456 Buffer Overflow (CVE-2026-7033) Exposes Routers

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-119cwe-120
Tenda F456 Buffer Overflow (CVE-2026-7033) Exposes Routers

The National Vulnerability Database has disclosed CVE-2026-7033, a high-severity buffer overflow vulnerability impacting Tenda F456 routers, specifically version 1.0.0.5. This flaw resides within the fromSafeClientFilter function in the /goform/SafeClientFilter file.

Attackers can exploit this by manipulating the menufacturer/Go argument, leading to a buffer overflow. The attack is remotely executable, meaning adversaries don’t need local network access to trigger it. With a CVSS score of 8.8 (High), this vulnerability presents a significant risk, particularly given that an exploit has been publicly disclosed. This dramatically lowers the bar for attackers.

This isn’t just a theoretical risk; it’s a clear roadmap for compromise. Public exploits mean script kiddies can leverage this just as easily as sophisticated adversaries. For any organization or individual still running this specific Tenda model, the exposure is immediate and critical. These devices often sit at the network edge, making them prime targets for initial access.

What This Means For You

  • If your organization or home network uses a Tenda F456 1.0.0.5 router, you are directly exposed to remote compromise. Immediately isolate or replace these devices. There is no patch available yet, and a public exploit means it's actively being targeted. Do not delay action.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1200 Hardware Additions Persistence

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7033 Tenda F456 Buffer Overflow via SafeClientFilter

Sigma YAML — free preview 
title: CVE-2026-7033 Tenda F456 Buffer Overflow via SafeClientFilter
id: scw-2026-04-26-ai-1
status: experimental
level: critical
description: |
  Detects the specific exploit path and parameters used in CVE-2026-7033 for the Tenda F456 router. The vulnerability lies in the SafeClientFilter function, where manipulation of the 'menufacturer' or 'Go' parameters leads to a buffer overflow. This rule looks for POST requests to '/goform/SafeClientFilter' containing these vulnerable parameters.
author: SCW Feed Engine (AI-generated)
date: 2026-04-26
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7033/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri: '/goform/SafeClientFilter'
      cs-method: 'POST'
      cs-uri-query|contains:
          - 'menufacturer='
          - 'Go='
  selection_base:
      cs-uri: '/goform/SafeClientFilter'
      cs-method: 'POST'
  selection_indicators:
      cs-uri-query|contains:
          - 'menufacturer='
          - 'Go='
  condition: selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7033 Buffer Overflow Tenda F456 version 1.0.0.5
CVE-2026-7033 Buffer Overflow Vulnerable function: fromSafeClientFilter
CVE-2026-7033 Buffer Overflow Vulnerable file: /goform/SafeClientFilter
CVE-2026-7033 Buffer Overflow Vulnerable argument: menufacturer/Go

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 26, 2026 at 14:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7039: tufantunc ssh-mcp Local Command Injection Exposed

CVE-2026-7039 — A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts....

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7037: Totolink A8000RU Critical OS Command Injection

CVE-2026-7037 — A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component...

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 4 IOCs /⚙ 2 Sigma

Tenda i9 Path Traversal (CVE-2026-7036) Exposes Networks to Remote Exploitation

CVE-2026-7036 — A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma