CVE-2026-0640 identifies a buffer overflow vulnerability in the Tenda AC23 router firmware version 16.03.07.52. The vulnerability arises from improper input validation in the sscanf function called by the /goform/PowerSaveSet endpoint, specifically when processing the 'Time' parameter. An attacker can remotely send a crafted request to this endpoint, causing a buffer overflow condition. This flaw does not require authentication or user interaction, making it highly exploitable over the network. The buffer overflow can lead to memory corruption, which attackers may leverage to execute arbitrary code with elevated privileges or cause a denial of service by crashing the device. The vulnerability has been assigned a CVSS 4.0 base score of 8.7, indicating high severity due to its network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no confirmed exploits in the wild have been reported, public proof-of-concept exploits exist, increasing the likelihood of active exploitation attempts. The lack of an official patch at the time of disclosure necessitates immediate mitigation steps to reduce exposure. The Tenda AC23 is a widely used consumer and small office/home office (SOHO) router, making this vulnerability relevant for a broad user base. Attackers targeting this vulnerability could gain persistent control over affected devices, potentially pivoting into internal networks or intercepting sensitive communications.

For European organizations, this vulnerability poses significant risks, especially for small and medium enterprises (SMEs) and home office environments relying on Tenda AC23 routers. Successful exploitation can lead to unauthorized remote code execution, allowing attackers to control the router, intercept or manipulate network traffic, and disrupt internet connectivity. This compromises confidentiality, as sensitive data may be exposed; integrity, as attackers could alter network configurations or traffic; and availability, through denial of service attacks. Given the router’s role as a network gateway, exploitation could facilitate lateral movement into corporate networks or enable persistent backdoors. The risk is heightened in environments where remote management interfaces are exposed to the internet or where firmware updates are not regularly applied. Additionally, the availability of public exploits increases the likelihood of opportunistic attacks targeting vulnerable devices across Europe. Critical infrastructure or organizations with remote workforce setups may face operational disruptions or data breaches if this vulnerability is exploited.

1. Immediately restrict remote access to the router’s management interface by disabling WAN-side administration or limiting access via firewall rules and VPNs. 2. Monitor network traffic for unusual requests targeting the /goform/PowerSaveSet endpoint, which may indicate exploitation attempts. 3. Implement network segmentation to isolate vulnerable routers from critical internal systems, reducing potential lateral movement. 4. Regularly check for and apply official firmware updates from Tenda addressing this vulnerability once released. 5. For organizations unable to update immediately, consider replacing affected devices with routers from vendors with timely security support. 6. Educate users and IT staff about the risks of exposing router management interfaces and the importance of strong administrative credentials. 7. Employ intrusion detection/prevention systems (IDS/IPS) with signatures targeting this specific exploit to detect and block attack attempts. 8. Conduct periodic vulnerability scans to identify devices running the vulnerable firmware version within the network.