Tenda FH1202 Router Vulnerability (CVE-2026-7035) Exposes Networks
A critical vulnerability, CVE-2026-7035, has been identified in Tenda FH1202 routers, specifically version 1.2.0.14. The National Vulnerability Database reports this flaw as a stack-based buffer overflow within the fromWrlclientSet function in the /goform/WrlclientSet component of the httpd service. This isn’t theoretical; the exploit is publicly disclosed and can be leveraged remotely.
Attackers can trigger this buffer overflow by manipulating the Go argument, leading to a CVSS v3.1 score of 8.8 (High). This means high confidentiality, integrity, and availability impacts are possible without complex attack conditions or user interaction, requiring only low privileges. For defenders, this is a clear and present danger. A compromised router is a foothold into the internal network, bypassing perimeter defenses. Attackers move laterally from there, establishing persistence, exfiltrating data, or launching further attacks.
While specific affected products beyond the Tenda FH1202 1.2.0.14 are not detailed by the National Vulnerability Database, organizations should assume that any unpatched Tenda devices, especially consumer-grade or small business routers, are at risk. The widespread use of such devices in home offices and small businesses creates a significant attack surface that often goes unmonitored. This isn’t just about the router; it’s about the entire network it protects.
What This Means For You
- If your organization or its remote workforce uses Tenda FH1202 routers, specifically version 1.2.0.14, you need to immediately assess your exposure. This vulnerability (CVE-2026-7035) allows remote attackers to gain control. Prioritize patching or replacing these devices. Also, audit network logs for any unusual activity originating from these routers, as public exploits mean active targeting is highly probable.
Related ATT&CK Techniques
🛡️ Detection Rules
5 rules · 6 SIEM formats5 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-7035
title: Web Application Exploitation Attempt — CVE-2026-7035
id: scw-2026-04-26-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-7035 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-04-26
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7035/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-7035
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7035 | Buffer Overflow | Tenda FH1202 1.2.0.14 |
| CVE-2026-7035 | Buffer Overflow | Vulnerable function: fromWrlclientSet |
| CVE-2026-7035 | Buffer Overflow | Vulnerable file: /goform/WrlclientSet |
| CVE-2026-7035 | Buffer Overflow | Vulnerable component: httpd |
| CVE-2026-7035 | Buffer Overflow | Manipulation of argument: Go |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 26, 2026 at 15:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7039: tufantunc ssh-mcp Local Command Injection Exposed
CVE-2026-7039 — A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts....
CVE-2026-7037: Totolink A8000RU Critical OS Command Injection
CVE-2026-7037 — A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component...
Tenda i9 Path Traversal (CVE-2026-7036) Exposes Networks to Remote Exploitation
CVE-2026-7036 — A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to...