CVE-2026-4905 is a stack-based buffer overflow vulnerability identified in the Tenda AC5 router firmware version 15.03.06.47. The vulnerability resides in the formWifiWpsOOB function, which handles POST requests to the /goform/WifiWpsOOB endpoint. Specifically, improper validation of the 'index' parameter allows an attacker to overflow the stack buffer by sending a crafted POST request. This overflow can overwrite the return address or other control data on the stack, enabling remote code execution (RCE) without requiring authentication or user interaction. The vulnerability is exploitable over the network (AV:N), with low attack complexity (AC:L), and no privileges or user interaction needed (PR:L, UI:N). The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, with full control over the device possible upon successful exploitation. Although no confirmed exploits are currently active in the wild, proof-of-concept exploit code has been published, increasing the risk of imminent attacks. The vulnerability affects a widely deployed consumer-grade router model, which is often used in home and small office environments, potentially exposing many users to compromise. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts to reduce exposure.

Successful exploitation of CVE-2026-4905 can lead to complete compromise of affected Tenda AC5 routers. Attackers can execute arbitrary code remotely, potentially gaining control over the device’s firmware and network traffic. This compromises the confidentiality of data passing through the router, allows manipulation or disruption of network communications (integrity and availability), and can facilitate further attacks on connected devices or internal networks. For organizations, this could mean unauthorized access to sensitive information, network downtime, and the use of compromised routers as pivot points for lateral movement or launching attacks on other infrastructure. The vulnerability’s remote and unauthenticated nature significantly increases the attack surface, especially in environments where these routers are exposed to untrusted networks or the internet. The widespread use of Tenda AC5 in residential and small business settings globally amplifies the potential impact, as many users may lack the expertise or resources to detect or mitigate such attacks promptly.

1. Immediately disable Wi-Fi Protected Setup (WPS) on Tenda AC5 routers if this feature is enabled, as the vulnerability is linked to the WPS-related function. 2. Restrict remote management access to the router’s administrative interface by disabling WAN-side access or limiting it to trusted IP addresses. 3. Implement network segmentation to isolate vulnerable routers from critical internal networks and sensitive assets. 4. Monitor network traffic for unusual POST requests targeting the /goform/WifiWpsOOB endpoint, which may indicate exploitation attempts. 5. Apply any available firmware updates from Tenda as soon as they are released addressing this vulnerability. 6. If patches are not yet available, consider replacing affected devices with models not impacted by this vulnerability, especially in high-risk environments. 7. Educate users and administrators about the risks of exposing router management interfaces to the internet and encourage strong network security hygiene. 8. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect exploitation attempts targeting this vulnerability.