CVE-2026-2185
8.8 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A vulnerability in Tenda RX3 routers allows remote attackers to crash the device or potentially run malicious code by sending a specially crafted request to the MAC address filtering configuration page. This is a serious flaw because it can be exploited over the internet with little difficulty.
Who is affected
Users of Tenda RX3 routers with firmware version 16.03.13.11 are affected. An attacker could take control of the router, disrupt network traffic, or use it as a foothold for further attacks on the local network.
Recommended fix
Immediately update the router's firmware to a version later than 16.03.13.11, if available from Tenda. If no patch exists, disable remote administration (WAN access) and consider disabling the MAC filtering feature as a temporary workaround.
Technical Description
A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-119, CWE-121