CVE-2026-4904 identifies a stack-based buffer overflow vulnerability in the Tenda AC5 router firmware version 15.03.06.47. The vulnerability exists in the formSetCfm function, which processes POST requests to the /goform/setcfm endpoint. Specifically, the issue stems from improper validation and handling of the funcpara1 parameter, allowing an attacker to overflow the stack buffer by sending a specially crafted POST request. This overflow can corrupt the stack, potentially enabling remote code execution or causing the device to crash, resulting in denial of service. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. While no exploits have been observed in the wild yet, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The affected product, Tenda AC5, is a consumer-grade Wi-Fi 6 router commonly used in home and small office environments, which may lack advanced security monitoring, increasing exposure risk.

The impact of CVE-2026-4904 is significant for organizations and individuals using the Tenda AC5 router. Successful exploitation can lead to arbitrary code execution, allowing attackers to take full control of the device. This can result in interception or manipulation of network traffic, insertion of malicious payloads, or pivoting to other devices on the internal network. Additionally, attackers can cause denial of service by crashing the router, disrupting internet connectivity. For enterprises or service providers using these devices in branch offices or remote sites, this vulnerability could lead to compromised network security and data breaches. The lack of authentication requirement and ease of remote exploitation increase the threat level, especially in environments where these routers are directly exposed to the internet or poorly segmented networks.

1. Immediate mitigation involves isolating the affected Tenda AC5 devices from untrusted networks, especially the internet, to reduce exposure. 2. Monitor network traffic for unusual POST requests targeting /goform/setcfm and implement intrusion detection/prevention rules to block suspicious payloads containing malformed funcpara1 parameters. 3. Apply vendor-provided firmware updates as soon as they become available; if no patch is currently released, contact Tenda support for guidance or consider temporary device replacement. 4. Employ network segmentation to limit access to the router management interface only to trusted administrators. 5. Disable remote management features if enabled, to prevent external exploitation. 6. Regularly audit router configurations and logs for signs of compromise or exploitation attempts. 7. Educate users and administrators about the risks of exposing router management interfaces to the internet and enforce strong network security policies.