CVE-2026-3678 identifies a critical stack-based buffer overflow vulnerability in the Tenda FH451 router firmware version 1.0.0.9. The vulnerability resides in the function sub_3C434 within the /goform/AdvSetWan endpoint, which processes WAN configuration parameters, notably wanmode and PPPOEPassword. Improper validation or bounds checking of these input parameters allows an attacker to overflow the stack buffer remotely. This overflow can corrupt the execution stack, enabling arbitrary code execution with elevated privileges on the device. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no confirmed exploits in the wild have been reported, the public disclosure of exploit code increases the likelihood of exploitation attempts. The vulnerability could allow attackers to take full control of affected routers, manipulate network traffic, intercept sensitive data, or launch further attacks within the network. The lack of an official patch at the time of disclosure necessitates immediate mitigations to reduce exposure.

The impact of CVE-2026-3678 is significant for organizations relying on Tenda FH451 routers. Successful exploitation can lead to remote code execution with elevated privileges, resulting in full compromise of the device. This can disrupt network availability by causing device crashes or reboots, degrade integrity by allowing attackers to alter router configurations, and compromise confidentiality through interception or redirection of network traffic. Attackers could establish persistent backdoors, pivot to internal networks, or exfiltrate sensitive information. Given the router’s role as a network gateway, the vulnerability poses a critical risk to enterprise, small business, and home networks. The ease of remote exploitation without authentication amplifies the threat, potentially enabling widespread automated attacks. Organizations may face operational downtime, data breaches, and reputational damage if the vulnerability is exploited.

To mitigate CVE-2026-3678, organizations should immediately restrict external and internal access to the /goform/AdvSetWan endpoint by implementing network segmentation and firewall rules that limit management interface exposure. Disable remote management features if not required. Monitor network traffic for unusual or malformed requests targeting the WAN configuration interface. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts. Since no official patch is currently available, consider temporary device replacement or firmware rollback if a previous secure version exists. Engage with Tenda support to obtain security advisories and patches as soon as they are released. Additionally, enforce strong network perimeter defenses and conduct regular vulnerability assessments on network infrastructure devices. Maintain up-to-date asset inventories to identify affected devices promptly.