Tenda F456 Vulnerability: Remote Buffer Overflow in HTTP Daemon

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-119cwe-120
Tenda F456 Vulnerability: Remote Buffer Overflow in HTTP Daemon

The National Vulnerability Database has identified CVE-2026-7057, a high-severity buffer overflow vulnerability impacting Tenda F456 1.0.0.5. This flaw resides within an unspecified function of the /goform/setcfm file, part of the device’s HTTP daemon component. Attackers can trigger this vulnerability remotely by manipulating the funcname/funcpara1 arguments, leading to a CVSS v3.1 score of 8.8 (HIGH).

Exploitation of this vulnerability grants attackers significant control, evidenced by the CVSS vector indicating high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The National Vulnerability Database also notes that an exploit for this flaw has been publicly disclosed, significantly increasing the immediate risk to unpatched devices. This means adversaries don’t need to develop their own exploits; they can simply leverage existing tools.

For defenders, the critical takeaway is the ease of exploitation and the severe potential impact. This isn’t theoretical; the exploit is out there. Any internet-facing Tenda F456 router running version 1.0.0.5 is a prime target. Attackers will use this to establish persistence, pivot into internal networks, or simply brick devices. This is a direct path to network compromise.

What This Means For You

  • If your organization uses Tenda F456 1.0.0.5 routers, consider them compromised until proven otherwise. Immediately identify all instances of these devices, especially those exposed to the internet. Prioritize patching or, if no patch is available, remove them from service or place them behind robust network segmentation and access controls. Assume attackers are already scanning for this vulnerability.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7057 Tenda F456 HTTP Daemon Remote Buffer Overflow

Sigma YAML — free preview 
title: CVE-2026-7057 Tenda F456 HTTP Daemon Remote Buffer Overflow
id: scw-2026-04-26-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to exploit CVE-2026-7057 by targeting the /goform/setcfm endpoint with a POST request. The exploit involves manipulating the 'funcname' and 'funcpara1' parameters to trigger a buffer overflow in the Tenda F456 HTTP daemon. This specific URI and parameter pattern is indicative of the known exploit for this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-26
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7057/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri: 
          - '/goform/setcfm'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'funcname=setpassword'
          - 'funcpara1='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7057 Buffer Overflow Tenda F456 1.0.0.5
CVE-2026-7057 Buffer Overflow Vulnerable component: httpd
CVE-2026-7057 Buffer Overflow Vulnerable file: /goform/setcfm
CVE-2026-7057 Buffer Overflow Vulnerable arguments: funcname, funcpara1

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 01:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

itsourcecode Construction Management System SQLi: CVE-2026-7073

CVE-2026-7073 — A flaw has been found in itsourcecode Construction Management System 1.0. This affects an unknown part of the file /execute.php. This manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7072: CodePanda Source Canteen Management System SQLi

CVE-2026-7072 — A vulnerability was detected in CodePanda Source canteen_management_system 1.0. Affected by this issue is some unknown functionality of the file /api/login.php. The manipulation...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7071 — CodeAstro Online Job Portal Vulnerability

CVE-2026-7071 — A security vulnerability has been detected in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file...

vulnerabilityCVEmedium-severitycwe-200cwe-538
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 2 Sigma