Tenda F456 Router Vulnerability: Remote Buffer Overflow Exposes Networks

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-119cwe-120
Tenda F456 Router Vulnerability: Remote Buffer Overflow Exposes Networks

The National Vulnerability Database has disclosed CVE-2026-7080, a high-severity vulnerability affecting the Tenda F456 router, specifically version 1.0.0.5. This critical flaw resides within the fromPPTPUserSetting function of the /goform/PPTPUserSetting component within the httpd service. Attackers can trigger a buffer overflow by manipulating the delno argument.

This is not a theoretical vulnerability. The National Vulnerability Database confirms that this exploit has been publicly disclosed, meaning it’s likely already in the hands of malicious actors. Given the remote exploitability and the potential for complete system compromise (CVSS 8.8, High severity), any Tenda F456 routers exposed to the internet are immediate targets. This isn’t just about denial of service; a successful exploit can lead to full control, allowing attackers to pivot deeper into internal networks.

For defenders, the calculus is simple: unpatched, internet-facing Tenda F456 routers are a gaping hole. Attackers are constantly scanning for known vulnerabilities, and a public exploit disclosure means automated attacks are inevitable. The impact of a buffer overflow in a network device like a router is catastrophic, providing a direct gateway for data exfiltration, network segmentation bypass, or establishing persistent footholds.

What This Means For You

  • If your organization or any connected remote offices use Tenda F456 routers, especially version 1.0.0.5, immediately verify their exposure. Prioritize these devices for patching or, if no patch is available, isolate them from direct internet access. Review network logs for unusual activity originating from or targeting these devices.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7080: Tenda F456 PPTPUserSetting Buffer Overflow Attempt

Sigma YAML — free preview 
title: CVE-2026-7080: Tenda F456 PPTPUserSetting Buffer Overflow Attempt
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7080 by targeting the /goform/PPTPUserSetting endpoint with a POST request and manipulating the 'delno' parameter, which is known to trigger a buffer overflow vulnerability in Tenda F456 routers.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7080/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri: 
          - '/goform/PPTPUserSetting'
      cs-method: 
          - 'POST'
      cs-uri-query|contains:
          - 'delno='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7080 Buffer Overflow Tenda F456 version 1.0.0.5
CVE-2026-7080 Buffer Overflow Vulnerable component: httpd
CVE-2026-7080 Buffer Overflow Vulnerable file: /goform/PPTPUserSetting
CVE-2026-7080 Buffer Overflow Vulnerable function: fromPPTPUserSetting
CVE-2026-7080 Buffer Overflow Vulnerable argument: delno

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 06:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7085 — The Function Z.Url Of The File Src/Routes/Setting/About/Down Path Traversal

CVE-2026-7085 — A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7084 — HBAI-Ltd Toonflow-App Server-Side Request Forgery

CVE-2026-7084 — A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7083 — Likeadmin-Likeshop Likeadmin_php SQL Injection

CVE-2026-7083 — A vulnerability has been found in likeadmin-likeshop likeadmin_php up to 1.9.6. Affected by this issue is the function queryResult of the file server\app\adminapi\lists\tools\DataTableLists.php...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 3 IOCs /⚙ 3 Sigma