Executive Summary

CVE-2026-3807 is a stack-based buffer overflow vulnerability in the Tenda FH1202 router firmware version 1.2.0.14(408). It occurs in the HTTP daemon within the function formWrlsafeset, which processes the parameter mit_ssid (or mit_ssid_index). The vulnerability arises because the mit_ssid parameter is copied into a fixed-size stack buffer using the unsafe function sprintf without any length validation or bounds checking.

An attacker can exploit this by sending a crafted HTTP POST request with an excessively long mit_ssid value to the /goform/AdvSetWrlsafeset endpoint, causing a stack overflow. This overflow can lead to denial of service (DoS) or potentially remote code execution (RCE) on the device.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts on the affected device and its users. Exploiting the stack-based buffer overflow can lead to denial of service (DoS), causing the router to crash or become unresponsive.

More critically, it may allow remote code execution (RCE), enabling an attacker to execute arbitrary code on the router remotely without requiring local access or physical interaction.

Such control can compromise the confidentiality, integrity, and availability of the device and potentially the network it serves.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests sent to the endpoint /goform/AdvSetWrlsafeset on Tenda FH1202 routers. Specifically, look for unusually long or crafted values in the mit_ssid or mit_ssid_index parameters, which are used to trigger the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method involves capturing network traffic and filtering for POST requests to the vulnerable endpoint with suspiciously long parameter values.'}, {'type': 'list_item', 'content': "Use a network packet capture tool like tcpdump or Wireshark to monitor traffic to the router's IP on port 80 or 443."}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)))'"}, {'type': 'list_item', 'content': 'Inspect captured HTTP POST payloads for the presence of the mit_ssid or mit_ssid_index parameters with abnormally long values.'}, {'type': 'paragraph', 'content': 'Alternatively, a scripted HTTP POST request with a long mit_ssid parameter can be sent to test if the device is vulnerable, but this should be done carefully in a controlled environment.'}] [1, 3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint /goform/AdvSetWrlsafeset by limiting network exposure of the Tenda FH1202 router, such as placing it behind a firewall or disabling remote management.

Since no known patches or fixes are available, consider replacing the affected device with a non-vulnerable model or vendor firmware.

Monitor network traffic for exploitation attempts and block suspicious requests targeting the mit_ssid or mit_ssid_index parameters.

Avoid sending or accepting unusually long or malformed inputs to the vulnerable parameters to prevent triggering the buffer overflow.

Useful 0 Not Useful 0