CVE-2026-4960 is a stack-based buffer overflow vulnerability identified in the Tenda AC6 router firmware version 15.03.05.16. The flaw resides in the fromWizardHandle function of the /goform/WizardHandle component, which processes POST requests. Specifically, the vulnerability arises from improper validation and handling of the WANT/WANS argument, allowing an attacker to craft a malicious POST request that overflows the stack buffer. This overflow can corrupt adjacent memory, potentially enabling remote code execution or causing a denial of service by crashing the device. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The exploit has been publicly disclosed, though no confirmed active exploitation has been reported yet. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The vulnerability affects a popular consumer router model, widely used in various countries, increasing the potential attack surface. Due to the critical nature of router devices in network infrastructure, exploitation could lead to full device compromise, interception or manipulation of network traffic, and disruption of internet connectivity.

The impact of CVE-2026-4960 is significant for organizations and individuals relying on Tenda AC6 routers. Successful exploitation can lead to arbitrary code execution on the device, allowing attackers to take full control of the router. This can result in interception and manipulation of all network traffic passing through the device, including sensitive data leakage, man-in-the-middle attacks, and insertion of malicious payloads. Additionally, attackers could disrupt network availability by causing device crashes or persistent denial of service. For enterprises using these routers in branch offices or small networks, this vulnerability could serve as a foothold for lateral movement into internal networks. The lack of authentication requirement and ease of exploitation increase the likelihood of attacks, especially as exploit code is publicly available. The widespread deployment of Tenda AC6 in consumer and SMB markets globally amplifies the risk, potentially affecting millions of users. The vulnerability also poses risks to critical infrastructure and government networks in countries where these devices are prevalent.

To mitigate CVE-2026-4960, organizations and users should immediately check for and apply any official firmware updates or patches released by Tenda addressing this vulnerability. If no patch is available, users should consider temporarily disabling remote management features on the router to reduce exposure. Network administrators should implement network segmentation to isolate vulnerable devices from critical systems and monitor network traffic for suspicious POST requests targeting /goform/WizardHandle. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures for this vulnerability can help detect and block exploitation attempts. Changing default credentials and enforcing strong authentication on router management interfaces is recommended to reduce risk from other attack vectors. Where possible, replacing vulnerable Tenda AC6 devices with more secure alternatives should be considered. Regularly auditing network devices for outdated firmware and known vulnerabilities will help prevent similar risks. Finally, educating users about the risks of unpatched routers and encouraging timely updates is critical.