Tenda CX12L Stack Buffer Overflow (CVE-2026-8138) Risks Remote Exploitation

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-119cwe-121
Tenda CX12L Stack Buffer Overflow (CVE-2026-8138) Risks Remote Exploitation

The National Vulnerability Database has disclosed CVE-2026-8138, a high-severity stack-based buffer overflow vulnerability impacting Tenda CX12L firmware version 16.03.53.12. This flaw resides within the formSetPPTPServer function in the /goform/SetPptpServerCfg file, allowing remote attackers to trigger the overflow.

Rated with a CVSSv3.1 score of 8.8, this vulnerability is critical due to its remote exploitability and the public availability of exploit code. Attackers can leverage this to achieve high impact on confidentiality, integrity, and availability, likely leading to device compromise or denial of service. The low attack complexity and lack of user interaction make this an attractive target for threat actors.

For defenders, this means Tenda CX12L devices running the affected firmware are exposed to significant risk. Given the public exploit, it’s not a matter of if, but when, these devices will be targeted. Immediate action is required to mitigate potential compromise.

What This Means For You

  • If your organization uses Tenda CX12L routers, particularly firmware version 16.03.53.12, you are directly exposed to CVE-2026-8138. Prioritize isolating these devices or replacing them if a patch is not immediately available. Audit network logs for any unusual activity originating from or targeting these devices.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1200 Hardware Additions Persistence

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Tenda CX12L formSetPPTPServer Stack Buffer Overflow - CVE-2026-8138

Sigma YAML — free preview 
title: Tenda CX12L formSetPPTPServer Stack Buffer Overflow - CVE-2026-8138
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit the Tenda CX12L stack buffer overflow vulnerability (CVE-2026-8138) by targeting the specific '/goform/SetPptpServerCfg' endpoint with POST requests containing potentially oversized parameters related to PPTP server configuration. This is the primary indicator of exploitation for this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8138/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri: 
          - '/goform/SetPptpServerCfg'
      cs-method: 
          - 'POST'
      cs-uri-query|contains: 
          - 'pppoe_username=' 
          - 'pppoe_password=' 
          - 'pppoe_server=' 
          - 'pppoe_retry=' 
          - 'pppoe_timeout=' 
          - 'pppoe_mtu=' 
          - 'pppoe_keepalive=' 
          - 'pppoe_dns1=' 
          - 'pppoe_dns2='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8138 Buffer Overflow Tenda CX12L version 16.03.53.12
CVE-2026-8138 Buffer Overflow Vulnerable function: formSetPPTPServer
CVE-2026-8138 Buffer Overflow Vulnerable file/endpoint: /goform/SetPptpServerCfg
CVE-2026-8138 Buffer Overflow Type: stack-based buffer overflow

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 08:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Totolink X5000R Buffer Overflow (CVE-2026-8137) Exposed

CVE-2026-8137 — A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-42279 — solidtime is an open-source time-tracking app. In version

CVE-2026-42279 — solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /5.8 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-42277 — Onyx is an open-source AI platform. Prior to versions

CVE-2026-42277 — Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma