CVE-2026-2203
8.8 HIGHPublished 2026-02-09 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A buffer overflow vulnerability exists in the web interface of Tenda AC8 routers. An attacker can send a specially crafted network request to crash the device or potentially run malicious code.
Who is affected
Users of Tenda AC8 routers with firmware version 16.03.33.05 are affected. A remote attacker could take control of the router, disrupt internet access, or use it as a foothold into the network.
Recommended fix
Immediately update the router's firmware to a version newer than 16.03.33.05, if available from Tenda. If no patch exists, disable remote administration (WAN access) to the router's management interface.
Technical Description
A flaw has been found in Tenda AC8 16.03.33.05. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set of the component Embedded Httpd Service. This manipulation of the argument timeZone causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-119, CWE-120
References
- https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/AC8/fastsettingwifiset-timezome.md
- https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/AC8/fastsettingwifiset-timezome.md#poc
- https://vuldb.com/?ctiid.344906
- https://vuldb.com/?id.344906
- https://vuldb.com/?submit.750226
- https://www.tenda.com.cn/