← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-2872 · CWE-119 · Disclosed 2026-02-21

A security vulnerability has been detected in Tenda A21 1

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a loaded trapdoor, but it sits behind a closet door most enterprises do not even have

CVE-2026-2872 is a stack-based buffer overflow in Tenda A21 firmware 1.0.0.0, specifically in the set_device_name function behind the /goform/setBlackRule MAC filtering endpoint. The public write-up says a crafted devName parameter can overflow a 256-byte stack buffer via sprintf, potentially crashing the web process or giving an attacker code execution as root on the device.

The vendor's 8.8/HIGH score is technically defensible in a lab, but too generous in a real enterprise queue. The chain already assumes the attacker can reach the device's management plane and has valid credentials (PR:L), and the product itself is an EOL consumer/SOHO range extender with narrow enterprise deployment; that makes this mostly a post-compromise or shadow-IT cleanup problem, not a front-of-queue patch emergency.

"Real bug, weak enterprise priority: it needs authenticated access to a niche EOL extender's local admin UI."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable A21 management UI

The attacker first needs an exposed or internally reachable Tenda A21 web interface. Tenda's own guidance says management is a built-in local web server and requires the device connection context, which strongly suggests this is usually LAN-side administration rather than a normal internet-facing service. Typical recon is just curl, a browser, or Internet-wide search if someone exposed the UI by mistake.
Conditions required:
  • A Tenda A21 is actually deployed
  • The attacker can reach its management IP or hostname from their network position
  • The web UI is enabled and responsive
Where this breaks in practice:
  • A21 is an EOL consumer range extender, not a standard enterprise platform
  • Most enterprises will have zero or very few of these devices
  • Management is commonly local-only, not intentionally internet-exposed
Detection/coverage: External attack-surface tools may find exposed Tenda web logins, but model/version fingerprinting is weak. Internal scanners can spot the HTTP UI, yet unauthenticated model certainty is often incomplete.
STEP 02

Obtain valid admin access

The published CVSS and advisory both indicate PR:L, so exploitation assumes authenticated access to the admin interface. In practice that means credential reuse, shared local admin knowledge, prior foothold on the network, or physical proximity to the extender's admin segment. Tools here are ordinary browser login, password spraying against local admin pages, or reuse of known device credentials from previous compromise.
Conditions required:
  • Valid device credentials or equivalent authenticated session
  • Ability to interact with the admin workflow
Where this breaks in practice:
  • This is not unauthenticated internet RCE
  • MFA is rare on devices, but simple password rotation still blocks casual abuse
  • Needing creds means the attacker is already partway through the intrusion chain
Detection/coverage: Login attempts may appear in device logs if logging is enabled, but many SMB/consumer devices have poor telemetry. NAC, VPN, and admin-segment monitoring are more reliable than the device itself.
STEP 03

Send the overflow payload to /goform/setBlackRule

Using the public Python PoC on GitHub, the attacker submits an oversized devName value to /goform/setBlackRule along with a mac field. The write-up attributes the bug to sprintf(mib_vlaue, "%s\t1", dev_name) with no bounds check, letting user-controlled data overwrite stack state.
Conditions required:
  • Authenticated access to the endpoint
  • The target is running vulnerable firmware 1.0.0.0
Where this breaks in practice:
  • The public PoC is a crash-oriented demonstration, not a turnkey worm
  • Reliable code execution on embedded targets is harder than simple denial of service
  • CISA SSVC enrichment marks exploitation as poc and Automatable: no
Detection/coverage: A web proxy, NDR, or HTTP logs can flag oversized POST bodies to /goform/setBlackRule. Commodity vuln scanners are unlikely to safely validate exploitability without credentials.
STEP 04

Turn stack corruption into impact

At minimum, a large payload can crash the httpd process and break management. With target-specific exploit work, the overflow could steer execution into ROP or shellcode and yield root on the embedded Linux device, which is the meaningful worst case. The GitHub write-up explicitly claims control of the instruction pointer is reachable.
Conditions required:
  • Precise payload shaping for the target architecture
  • A stable exploitation path beyond simple process crash
Where this breaks in practice:
  • Embedded exploitation reliability varies by build, memory layout, and watchdog behavior
  • Getting root code execution is materially harder than demonstrating a crash
Detection/coverage: Watch for httpd restarts, management UI timeouts, device reboots, or sudden configuration drift. EDR does not exist here; network and config monitoring carry the detection burden.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation found in the sources reviewed. CISA KEV does not list CVE-2026-2872, and the CISA ADP enrichment attached to the CVE record says exploitation status is poc, not known active abuse.
Proof-of-conceptPublic PoC/advisory is available in QIU-DIE/cve-nneeww issue #3. The write-up demonstrates a long devName POST to /goform/setBlackRule and shows firmware emulation screenshots.
EPSSUser-supplied EPSS is 0.00112 (0.112%), which is low attacker-interest territory. Percentile was not present in the supplied intel, so treat the score itself as the signal.
KEV statusNot KEV-listed as of the CISA catalog page reviewed. No added date exists because the CVE is absent from the catalog.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = network reachable, low complexity, but requires low privileges. That PR:L is the main reason this drops sharply in a real patch queue.
Affected versionsThe CNA/NVD/OpenCVE record names Tenda A21 firmware 1.0.0.0 as affected. Tenda's support page for A21 exposes only A21 Firmware V1.0.0.0 and marks the product EOL.
Fixed versionsNo public fixed firmware was identified in the vendor materials reviewed. For defenders, that means this is primarily a contain/replace problem, not a normal patch-cadence problem.
Scanning / exposure dataThere is no model-specific public count for exposed A21s in the reviewed sources. As a rough market signal only, Censys reported 14,049 exposed Tenda router web login interfaces in a 2025 Tenda advisory, but it explicitly said those counts were not model-specific; for A21, internet exposure should be treated as an exceptional misconfiguration, not the default.
Disclosure dateThe CVE was published on 2026-02-21; VulDB/OpenCVE timeline entries show advisory activity on 2026-02-20 and updates on 2026-02-23.
Reporter / source of findingThe CNA record credits hhsw34 (VulDB User) as reporter. The public technical write-up and PoC reference reviewed is the GitHub issue by QIU-DIE.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.7/10)

The decisive factor is attacker position: this is not pre-auth edge RCE, it is authenticated abuse of a local management interface on a niche EOL extender. That combination slashes the reachable population and makes the bug far more relevant to shadow-IT containment than to enterprise-wide emergency patching.

HIGH Authenticated-access requirement materially lowers enterprise urgency
MEDIUM A21 deployment prevalence inside typical enterprises is very low
MEDIUM Public PoC exists, but reliable RCE beyond crash behavior is not well-demonstrated in primary sources

Why this verdict

  • Vendor baseline starts high, then collapses on friction: 8.8/HIGH assumes the impact once triggered; it does not price in how rarely enterprises expose or even deploy this exact EOL extender.
  • Requires authenticated remote access: PR:L means the attacker already has device credentials or equivalent foothold. That is downward pressure because it implies post-initial-access rather than true internet-edge compromise.
  • Reachable population is narrow: A21 is a consumer/SOHO range extender, not a mainstream enterprise appliance. In a 10,000-host environment, this is usually a tiny shadow-IT subset, often zero.
  • Management-plane locality matters: Tenda's own login guidance describes a built-in local web server reached from a connected device. That implies NGFW policy, admin VLANs, NAC, and simple non-exposure break a lot of real attack paths before the overflow even matters.
  • Exploit evidence is weak: there is a public PoC and the CVE record says it 'may be used,' but no KEV entry, no confirmed campaign data in reviewed sources, and the user-supplied EPSS is very low.

Why not higher?

Because this is not unauthenticated mass-exploitation material. The chain needs a reachable admin interface, a real A21 deployment, and valid privileges; each prerequisite narrows the victim pool and compounds the odds that the attacker is already inside. The product category also matters: consumer extender vulnerabilities do not deserve the same queue position as equivalent bugs in widely deployed enterprise edge gear.

Why not lower?

Because if you do have one, the technical consequence is still ugly: stack corruption in an embedded network device can mean root compromise, persistent tampering, or at minimum loss of device management. Public exploit details are available, and unsupported edge-adjacent devices are exactly the sort of forgotten assets that linger unmanaged.

05 · Compensating Control

What to do — in priority order.

  1. Inventory and quarantine A21 devices — Find any Tenda A21 units and move them off production user segments into a restricted management or guest network. For a LOW verdict there is no formal noisgate mitigation SLA, so treat this as backlog hygiene, but do it promptly if the device sits anywhere near sensitive networks because no public fixed firmware was identified.
  2. Block access to the admin UI from user networks — Restrict HTTP access to the device management plane so only a small admin subnet can reach it. This breaks the most practical exploitation path and is the right control when the bug requires authenticated use of a local web interface; for LOW, handle as backlog hygiene unless the UI is internet-exposed, in which case accelerate.
  3. Rotate device credentials — Change any shared or inherited Tenda admin passwords and remove reused credentials. Since exploitation requires privileges, credential hygiene directly reduces exploitability; for LOW, do it during normal hygiene work, or immediately if you suspect shadow IT or password reuse.
  4. Plan replacement, not patch dependence — The A21 support page marks the product EOL and the reviewed vendor materials did not show a newer fixed firmware. Treat any discovered A21 as a replacement candidate rather than something you expect to patch cleanly.
What doesn't work
  • Relying on EDR: these embedded extenders do not run your normal endpoint stack, so EDR will not stop or meaningfully detect exploitation.
  • Depending on perimeter WAF: the vulnerable surface is the device's own admin UI, typically on an internal/local segment, not an app you front with a normal enterprise WAF.
  • Waiting for routine patch Tuesday motion: no public fixed A21 firmware was identified, so standard patch cadence does not solve the exposure.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation that can reach the extender's management IP on the same network segment as the device. Invoke it as python3 check_cve_2026_2872.py http://192.168.0.254 or python3 check_cve_2026_2872.py http://re.tenda.cn; no admin privileges are needed on the workstation, but the script only performs safe fingerprinting and may return UNKNOWN if the UI hides model/version details.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# Safe fingerprint check for CVE-2026-2872 on Tenda A21
# Exit codes: 0=PATCHED/NOT-AFFECTED, 1=VULNERABLE, 2=UNKNOWN

import re
import sys
import requests
from urllib.parse import urljoin

TIMEOUT = 5
HEADERS = {"User-Agent": "noisgate-cve-check/1.0"}


def fetch(url):
    r = requests.get(url, headers=HEADERS, timeout=TIMEOUT, allow_redirects=True, verify=False)
    return r.status_code, r.text[:200000], r.headers


def normalize_base(base):
    if not base.startswith("http://") and not base.startswith("https://"):
        base = "http://" + base
    return base.rstrip("/")


def main():
    requests.packages.urllib3.disable_warnings()  # type: ignore

    if len(sys.argv) != 2:
        print("UNKNOWN")
        print("Usage: python3 check_cve_2026_2872.py <base_url>")
        sys.exit(2)

    base = normalize_base(sys.argv[1])
    candidates = [
        base,
        urljoin(base + "/", "index.html"),
        urljoin(base + "/", "login.html"),
    ]

    pages = []
    for url in candidates:
        try:
            status, body, headers = fetch(url)
            pages.append((url, status, body, headers))
        except Exception:
            continue

    if not pages:
        print("UNKNOWN")
        print("Could not reach target web UI")
        sys.exit(2)

    blob = "\n".join([p[2] for p in pages])
    headers_blob = "\n".join([str(dict(p[3])) for p in pages])
    combined = (blob + "\n" + headers_blob).lower()

    is_tenda = any(x in combined for x in ["tenda", "tendawifi", "re.tenda.cn"])
    if not is_tenda:
        print("PATCHED")
        print("Target does not fingerprint as a Tenda web UI; likely not affected")
        sys.exit(0)

    model_a21 = any(x in combined for x in ["a21", "ac2100", "range extender"])
    version_1000 = bool(re.search(r"v?1\.0\.0\.0\b", combined))

    # Safe heuristic only: vulnerable if we can identify A21 + vulnerable version.
    if model_a21 and version_1000:
        print("VULNERABLE")
        print("Fingerprinted as Tenda A21 firmware 1.0.0.0, the affected version for CVE-2026-2872")
        sys.exit(1)

    # If we clearly see A21 but no version, we cannot safely claim patched because no public fixed version was identified.
    if model_a21 and not version_1000:
        print("UNKNOWN")
        print("A21 fingerprint detected but firmware version not confirmed; no public fixed version was verified")
        sys.exit(2)

    print("UNKNOWN")
    print("Tenda device detected, but model/version could not be safely confirmed")
    sys.exit(2)


if __name__ == "__main__":
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not spin up an emergency campaign for this CVE across the fleet; instead, query your asset inventory and network scans for any Tenda A21 presence at all. If you find one, treat it as shadow IT: restrict admin-plane reachability and credential exposure during normal cleanup, then replace or decommission it because no public fixed firmware was identified. For a LOW verdict there is no noisgate mitigation SLA and effectively no noisgate remediation SLA beyond backlog hygiene, so document the risk, remove internet exposure immediately if present, and fold replacement into normal unsupported-device cleanup rather than urgent enterprise-wide patching.

Sources

  1. NVD CVE-2026-2872
  2. OpenCVE record for CVE-2026-2872
  3. Public GitHub advisory / PoC write-up
  4. Tenda A21 support page (EOL, firmware listing)
  5. Tenda login guidance for web management page
  6. CISA Known Exploited Vulnerabilities Catalog
  7. Censys advisory on Tenda exposure context
  8. FIRST EPSS overview
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.