CVE-2026-4906 identifies a stack-based buffer overflow vulnerability in the Tenda AC5 router firmware version 15.03.06.47. The vulnerability resides in the decodePwd function of the /goform/WizardHandle component, which processes POST requests. Specifically, the vulnerability arises from improper handling of the WANT/WANS argument, which can be manipulated by an attacker to overflow the stack buffer. This overflow can corrupt memory, potentially allowing remote code execution or denial of service conditions. The vulnerability requires no authentication or user interaction and can be triggered remotely over the network, making it highly exploitable. The CVSS 4.0 base score is 8.7 (high), reflecting the network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. While no exploits are currently known to be used in the wild, the public disclosure of the exploit code increases the urgency for remediation. The affected product, Tenda AC5, is a consumer and small office/home office (SOHO) router widely used in various regions. The lack of available patches at the time of disclosure means users must rely on temporary mitigations until official updates are released.

The vulnerability allows remote attackers to execute arbitrary code or cause denial of service on affected Tenda AC5 routers. This can lead to full compromise of the device, enabling attackers to intercept, modify, or redirect network traffic, disrupt internet connectivity, or use the device as a foothold for further attacks within the network. For organizations, this could result in data breaches, loss of service, and exposure to lateral movement by attackers. The impact is particularly severe for environments relying on these routers for critical connectivity or those with poor network segmentation. The exploitability without authentication or user interaction significantly increases the risk, especially for devices exposed directly to the internet. The absence of known active exploitation currently provides a limited window for mitigation before potential widespread attacks emerge.

Organizations and users should immediately check if their Tenda AC5 routers are running firmware version 15.03.06.47 and avoid exposing these devices directly to the internet. Network administrators should implement firewall rules to restrict access to router management interfaces from untrusted networks. Disabling remote management features temporarily can reduce exposure. Monitoring network traffic for unusual POST requests targeting /goform/WizardHandle may help detect exploitation attempts. Until an official patch is released by Tenda, consider replacing affected devices or isolating them on segmented networks. Regularly check the vendor’s website or trusted security advisories for firmware updates addressing this vulnerability. Employing network intrusion detection systems (NIDS) with signatures for this exploit can provide additional defense layers. Finally, educating users about the risks of outdated firmware and enforcing timely updates is critical.