Tenda F456 Router Vulnerability (CVE-2026-7099) Exposes Networks

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-119cwe-120
Tenda F456 Router Vulnerability (CVE-2026-7099) Exposes Networks

A critical buffer overflow vulnerability, identified as CVE-2026-7099, has been reported in the Tenda F456 router, specifically version 1.0.0.5. The National Vulnerability Database (NVD) indicates this flaw resides within the formQuickIndex function of the /goform/QuickIndex file, part of the httpd component. Remote manipulation of the mit_linktype argument triggers the overflow.

This vulnerability carries a CVSSv3.1 score of 8.8 (HIGH), reflecting its severe impact. Attackers can exploit this remotely with low privileges, leading to high confidentiality, integrity, and availability impacts. The National Vulnerability Database confirms that a public exploit is available, meaning this isn’t theoretical – it’s actively weaponized.

For defenders, this is a clear and present danger. Tenda F456 routers are common in small office/home office (SOHO) environments. Their widespread deployment, coupled with the ease of remote exploitation and public exploit availability, makes them prime targets. Attackers are looking for the lowest hanging fruit; unpatched SOHO routers are often it. This isn’t just about the router itself; it’s about the network segment it protects and the access it grants into the wider corporate or personal network.

What This Means For You

  • If your organization or remote workforce uses Tenda F456 1.0.0.5 routers, you need to immediately assess your exposure. Public exploits mean attackers are already scanning for these devices. Isolate or replace these devices if a patch isn't available. Do not leave them exposed to the internet.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Tenda F456 Router QuickIndex Buffer Overflow Attempt (CVE-2026-7099)

Sigma YAML — free preview 
title: Tenda F456 Router QuickIndex Buffer Overflow Attempt (CVE-2026-7099)
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7099 by targeting the formQuickIndex function in the Tenda F456 router. This rule looks for POST requests to the /goform/QuickIndex endpoint with the 'mit_linktype' parameter, which is indicative of a buffer overflow attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7099/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/goform/QuickIndex'
      cs-uri-query|contains:
          - 'mit_linktype='
      cs-method:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7099 Buffer Overflow Tenda F456 version 1.0.0.5
CVE-2026-7099 Buffer Overflow Vulnerable function: formQuickIndex in /goform/QuickIndex
CVE-2026-7099 Buffer Overflow Vulnerable component: httpd
CVE-2026-7099 Buffer Overflow Manipulation of argument: mit_linktype

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 12:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Dell iDRAC10 Vulnerability: Low-Privilege Race Condition Grants High Access

CVE-2026-35155 — Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged...

vulnerabilityCVEhigh-severityrace-conditioncwe-522
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 2 IOCs /⚙ 3 Sigma

GCHQ CyberChef XSS Vulnerability (CVE-2026-42615) Identified

CVE-2026-42615 — GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-23773 — Server-Side Request Forgery

CVE-2026-23773 — Dell Disk Library for Mainframe, version(s) DLm 8700/2700 contain(s) a Server-Side Request Forgery (SSRF) vulnerability. A low privileged attacker with remote access could...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 3 Sigma