CVE-2026-24103
Received Received - Intake
Buffer Overflow in Tenda AC15V1 goform/formSetMacFilterCfg

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: MITRE

Description
A buffer overflow vulnerability was discovered in goform/formSetMacFilterCfg in Tenda AC15V1.0 V15.03.05.18_multi.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24103
EUVD
EUVD-2026-9293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda ac15_firmware 15.03.05.18_multi
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is a buffer overflow found in the Tenda AC15 router firmware version V15.03.05.18_multi, specifically in the function handling the endpoint goform/formSetMacFilterCfg.

It occurs because user-supplied parameters are passed without proper input validation, allowing an attacker to send an excessively long deviceList string that overflows the buffer using the strcpy function.

This overflow happens due to lack of boundary checks on the input, which can be exploited by sending a crafted POST request to the vulnerable endpoint.

Impact Analysis

This buffer overflow vulnerability can allow an attacker to potentially execute arbitrary code or cause a denial of service on the affected Tenda AC15 router.

By exploiting the overflow, an attacker might gain control over the device or disrupt its normal operation, impacting network security and availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a crafted POST request to the vulnerable endpoint on the Tenda AC15 router firmware version V15.03.05.18_multi. Specifically, the endpoint is /goform/setMacFilterCfg.'}, {'type': 'paragraph', 'content': 'A proof-of-concept method involves using a Python script with the requests library to send a POST request containing a specially crafted, overly long deviceList string designed to trigger the buffer overflow.'}, {'type': 'paragraph', 'content': "The POST request should include cookies with the password 'ssetgb' and POST data with macFilterType set to 'black' and the long deviceList parameter."}, {'type': 'paragraph', 'content': 'Example command using curl (adapted from the PoC concept):'}, {'type': 'list_item', 'content': 'curl -X POST http://192.168.1.1/goform/setMacFilterCfg -H "Cookie: password=ssetgb" -d "macFilterType=black&deviceList=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."'}, {'type': 'paragraph', 'content': 'Replace the deviceList value with an excessively long string to test for the buffer overflow condition.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart