Tenda HG3 2.0 Router Vulnerability: Remote Stack Buffer Overflow

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-119cwe-121
Tenda HG3 2.0 Router Vulnerability: Remote Stack Buffer Overflow

The National Vulnerability Database has identified CVE-2026-7151, a critical stack-based buffer overflow vulnerability in Tenda HG3 2.0 routers. Specifically, the formUploadConfig function within the /boaform/formIPv6Routing file is susceptible to manipulation of the destNet argument, leading to remote code execution possibilities.

This isn’t a theoretical issue; an exploit for CVE-2026-7151 has been publicly disclosed, meaning attackers can leverage it now. With a CVSS score of 8.8 (HIGH), this vulnerability presents a significant risk, allowing unauthenticated remote attackers to achieve high impact on confidentiality, integrity, and availability. The widespread use of Tenda routers in home and small office environments means a large attack surface for threat actors.

Attackers will likely target unpatched devices via automated scans, exploiting the known public vulnerability. The low complexity of the attack and the remote vector make this an attractive target for botnet operators or those looking to establish persistent access within networks. Defenders must prioritize patching or isolating these devices immediately.

What This Means For You

  • If your organization or home network utilizes Tenda HG3 2.0 routers, you are directly exposed to a critical, publicly exploited vulnerability. Prioritize immediately patching these devices or, if a patch isn't available, isolating them from public internet access. Assume compromise and audit network traffic for unusual activity originating from or targeting these routers.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1200 Hardware Additions Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7151 Tenda HG3 2.0 Remote Stack Buffer Overflow via formUploadConfig

Sigma YAML — free preview 
title: CVE-2026-7151 Tenda HG3 2.0 Remote Stack Buffer Overflow via formUploadConfig
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to exploit the CVE-2026-7151 vulnerability in Tenda HG3 2.0 routers. The vulnerability lies in the formUploadConfig function within the file /boaform/formIPv6Routing, where a stack-based buffer overflow can be triggered by manipulating the 'destNet' argument. This rule specifically looks for file access events related to this file and path, indicating a potential exploit attempt targeting this known vulnerability. The inclusion of various file access types (read, write, delete, execute) broadens the detection scope for different exploit methodologies.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7151/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      TargetFilename|contains:
          - '/boaform/formIPv6Routing'
      EventType:
          - 'FILE_ACCESS_WRITE'
          - 'FILE_ACCESS_READ'
          - 'FILE_ACCESS_DELETE'
          - 'FILE_ACCESS_EXECUTE'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7151 Buffer Overflow Tenda HG3 2.0
CVE-2026-7151 Buffer Overflow CWE-121: Stack-based Buffer Overflow
CVE-2026-7151 Buffer Overflow Vulnerable function: formUploadConfig in /boaform/formIPv6Routing
CVE-2026-7151 Buffer Overflow Vulnerable argument: destNet

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7191: qnabot-on-aws Admin RCE via Prototype Manipulation

CVE-2026-7191 — Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-7158: dmitryglhf mcp-url-downloader SSRF Vulnerability

CVE-2026-7158 — A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py....

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7157: Aider-MCP-Server Command Injection Vulnerability

CVE-2026-7157 — A flaw has been found in disler aider-mcp-server up to b2516fa466d0d851932da92ee6d0e66946db9efc. Affected by this vulnerability is an unknown functionality of the file src/aider_mcp_server/server.py...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma