CVE-2026-2873 · A vulnerability was detected in Tenda A21 1.0.0.0.

01 · The Real Story

This is a sharp knife left in a locked kitchen, not a landmine in the lobby

CVE-2026-2873 is a buffer overflow in setSchedWifi behind Tenda A21 firmware 1.0.0.0, specifically the /goform/openSchedWifi handler. The reported trigger is oversized schedStartTime or schedEndTime input, and the public write-up shows unsafe strcpy into a small fixed buffer, which means a crash is easy and code execution is plausible on the embedded web process. Authoritative sources only name 1.0.0.0 as affected; I did not find a vendor-published fixed version.

The vendor/NVD-style HIGH baseline overstates the enterprise patch priority. The decisive friction is reachability: this sits on a router/extender management plane that is usually LAN-only, and the published CVSS also assumes PR:L, meaning the exploit path already starts from authenticated access or an already-exposed admin surface. Public PoC keeps this out of LOW, but the combination of low EPSS, no KEV listing, no confirmed in-the-wild use, and typically narrow exposure pushes it down to MEDIUM for a 10,000-host enterprise program.

"Public PoC, but this is mostly a management-plane bug with narrow real-world reach in enterprise fleets."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the management interface with curl or Python requests

The attacker first needs HTTP reachability to the device's web UI and the vulnerable path /goform/openSchedWifi. In practice this usually means local-network adjacency, VPN access, or a misconfigured WAN-exposed admin page rather than broad internet reach.

Conditions required:

Tenda A21 running firmware 1.0.0.0
HTTP admin interface reachable from the attacker's position
Management service not filtered by ACL/VPN

Where this breaks in practice:

Most enterprises do not expose small-office router admin pages directly to the internet
These devices are far less common than mainstream enterprise edge gear
Branch/home-office devices may sit behind ISP NAT, cutting direct reachability

Detection/coverage: External attack-surface tools may flag exposed Tenda HTTP services, but generic scanners will usually detect product exposure better than they detect this exact code path.

STEP 02

Satisfy PR:L with valid admin access or equivalent session reuse

The published CVSS vector includes PR:L, so the working assumption should be that the attacker needs authenticated web access or an existing low-privilege session context. That makes this a post-auth management-plane bug unless your deployment has weak/default credentials or a separate auth bypass that turns it into something worse.

Conditions required:

Valid credentials, session cookie, or another path to authenticated requests
Admin UI accepts requests to the vulnerable handler

Where this breaks in practice:

MFA is rare on this class of device, but password management and disabled remote admin still matter
If credentials are unique and the interface is LAN-only, the attacker is already partway through the kill chain

Detection/coverage: Web logs, if retained at all, may show authenticated POSTs to /goform/openSchedWifi; many embedded devices log too little for reliable forensics.

STEP 03

Trigger the overflow using the public QIU-DIE PoC

The public GitHub issue includes a Python requests proof of concept that posts oversized schedStartTime data. That lowers weaponization cost materially: a crash-grade exploit is already commodity, while stable RCE would still require target-specific memory-corruption work against the device firmware and architecture.

Conditions required:

Ability to send crafted POST data
Vulnerable handler present and reachable
Input not normalized or length-checked upstream

Where this breaks in practice:

The published PoC demonstrates a trigger, not a reliable one-shot RCE chain
Embedded exploit reliability varies by build, libc, watchdog behavior, and memory layout

Detection/coverage: Network IDS can look for oversized POST bodies to /goform/openSchedWifi; many vuln scanners will miss this unless they use safe authenticated checks.

STEP 04

Crash httpd or gain code execution on the device

The immediate practical effect is likely denial of service of the management web process; the write-up also argues that arbitrary code execution may be possible with careful heap or control-flow manipulation. If code execution lands, the attacker owns an edge device that can be used for traffic interception, DNS tampering, or internal pivoting from the network boundary.

Conditions required:

Exploit stability sufficient for the specific firmware build
Device watchdog or reboot behavior does not erase attacker gains

Where this breaks in practice:

Turning a public crash PoC into durable RCE is nontrivial on embedded targets
Blast radius is usually one appliance, not an identity-wide or tenant-wide takeover

Detection/coverage: Look for unexpected device reboots, HTTP management outages, config drift, DNS changes, and new east-west traffic sourced from the router segment.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence of active exploitation surfaced in the sources I reviewed, and the CVE is not in CISA KEV as of the catalog page reviewed. That is meaningful downward pressure on urgency. Sources: CISA KEV, NVD
Proof-of-concept availability	Public PoC exists from researcher `QIU-DIE` / submitter `hhsw34`, including a Python `requests` trigger against `/goform/openSchedWifi`. This materially reduces exploit-development cost for crash/DoS behavior. Source: GitHub issue
EPSS	User-supplied EPSS is `0.00112`, which is very low in absolute terms. Secondary EPSS tracking pages place it around the low-teens percentile early after publication, which fits the same story: publicly documented, but not a high-likelihood mass-exploitation favorite. Sources: FIRST EPSS API docs, CVEFind
KEV status	Not KEV-listed in the CISA Known Exploited Vulnerabilities catalog based on the current catalog source reviewed. No KEV date applies. Source: CISA KEV
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` says remote, low complexity, but requires low privileges. That `PR:L` matters: in enterprise reality this is usually a post-auth management-plane flaw, not a spray-and-pray unauthenticated internet worm hole. Source: NVD
Affected versions	Sources consistently name Tenda A21 firmware `1.0.0.0` as affected. I did not find authoritative evidence that a wider version range is impacted. Sources: NVD, OSV
Fixed versions	I found no vendor-published fixed firmware in the reviewed sources. One secondary database explicitly says no newer fixed version information was available at publication time, so treat this as unfixed/unknown-fix-state until Tenda posts a firmware advisory or updated image. Sources: Tenda support page, dbugs/PT
Scanning / exposure data	I found no reliable internet-wide count tied specifically to this CVE and model in primary sources. Practical exposure depends on whether the Tenda admin UI is WAN-reachable; in managed enterprise estates, that is usually the exception, not the norm. Source context: Censys Search overview
Disclosure timeline	CVE published on 2026-02-21 and modified on 2026-02-23 in NVD-backed records. Source: NVD
Researcher / reporting trail	The public exploit reference points to GitHub issue `QIU-DIE/cve-nneeww#4`, opened 2026-02-09, with submitter listed as `hhsw34`. That is useful for validation, but it is still a third-party disclosure rather than a vendor-authored advisory. Source: GitHub issue

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.6/10)

The single biggest reason this lands in MEDIUM is reachability plus privileges: the vulnerable code sits behind a small-network device management plane and the published scoring assumes PR:L, which usually means the attacker already has admin-surface access or an authenticated foothold. Public PoC keeps it relevant, but the lack of KEV status, very low EPSS, and typically narrow exposure population make this a weaker enterprise patch driver than the raw 8.8 suggests.

HIGH Public exploit availability and affected version `1.0.0.0`

MEDIUM Real-world exposure assumptions for A21 deployments in enterprise environments

MEDIUM Whether exploitation reliably reaches RCE versus simple process crash

Why this verdict

Downgrade for attacker position: the CVSS includes PR:L, so the chain starts from authenticated remote access or an already-reachable admin surface, not from a blind internet worm position.
Downgrade for exposure population: Tenda A21 is edge/home-office class gear, and its management UI is usually LAN-only; that sharply narrows the fraction of enterprise deployments reachable at step 1.
Downgrade for threat evidence: no KEV listing, no authoritative in-the-wild reporting, and a very low EPSS mean the vulnerability is not currently behaving like a broad active-campaign priority.
Keep at MEDIUM, not LOW: there is a public PoC, memory corruption on an edge device can become RCE, and compromise of a router/extender can still enable DNS tampering, traffic interception, or pivoting.

Why not higher?

This is not a clean HIGH in enterprise reality because the chain is choked by two practical gates: management-plane reachability and PR:L. Most organizations will only be exposed if they intentionally expose the admin UI, have weak credential hygiene, or are already dealing with post-initial-access activity on the local network.

Why not lower?

I would not bury this as LOW because memory corruption on network infrastructure is never just a cosmetic bug. The exploit is public, the impact can extend beyond a mere UI crash, and the device sits at a useful pivot point if an attacker does achieve execution.

05 · Compensating Control

What to do — in priority order.

Disable WAN-side administration — If any A21 devices are reachable from the internet, shut that door first; this removes the most dangerous reachability precondition and should be done at the next network change window even though MEDIUM has no formal mitigation SLA.
Restrict management to a dedicated admin segment or VPN — Allow HTTP management only from a hardened jump subnet or VPN source range. This collapses the attacker population from 'any internal foothold' to 'only approved admin paths' and should be completed before the remediation window closes.
Rotate device credentials and remove defaults — Because the published vector assumes PR:L, credential hygiene directly attacks the exploit chain. Enforce unique passwords for all branch/home-office appliances and complete the cleanup before the remediation window closes.
Monitor for device crashes and config drift — The most realistic first-stage impact is management-plane instability or reboot behavior. Alert on unexpected reboots, DNS/NTP changes, admin password changes, and new outbound connections from the device segment before the 365-day remediation deadline.
Prepare replacement if no fixed firmware appears — I did not find an authoritative patched version. Track the vendor support page, but if Tenda does not ship a fix, treat replacement or permanent isolation as the remediation path within the MEDIUM remediation window.

What doesn't work

EDR on endpoints does not protect the router itself; this is embedded network gear, so host agents are irrelevant.
Password rotation alone does not solve the bug if the management UI remains broadly reachable; it only raises the PR:L hurdle.
Generic unauthenticated vuln scans may miss this exact handler and create false comfort; exposure detection is easier than vulnerability confirmation here.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation, CI job, or asset-inventory host — not on the router. Invoke it as python3 check_cve_2026_2873.py --model A21 --version 1.0.0.0 for a single device, or python3 check_cve_2026_2873.py --csv inventory.csv for bulk checks where the CSV has model,version columns. No elevated privileges are required.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
"""
CVE-2026-2873 inventory verifier for Tenda A21.

Purpose:
- Classify assets as VULNERABLE / PATCHED / UNKNOWN using inventory data.
- Current authoritative affected version observed in sources: Tenda A21 firmware 1.0.0.0.
- No authoritative fixed version was found at assessment time.

Exit codes:
  0 = PATCHED / not affected
  1 = VULNERABLE
  2 = UNKNOWN / input error
"""

import argparse
import csv
import sys
from pathlib import Path

AFFECTED_MODELS = {"A21", "TENDA A21"}
AFFECTED_VERSION = "1.0.0.0"


def norm(s: str) -> str:
    return (s or "").strip().upper()


def classify(model: str, version: str) -> str:
    m = norm(model)
    v = (version or "").strip()

    if not m or not v:
        return "UNKNOWN"

    if m not in AFFECTED_MODELS:
        return "PATCHED"

    if v == AFFECTED_VERSION:
        return "VULNERABLE"

    # Only 1.0.0.0 is explicitly listed as affected in the reviewed sources.
    # If you have stronger vendor evidence of a fixed version, replace this logic.
    return "PATCHED"


def single_mode(model: str, version: str) -> int:
    result = classify(model, version)
    print(result)
    return {"PATCHED": 0, "VULNERABLE": 1, "UNKNOWN": 2}[result]


def csv_mode(csv_path: str) -> int:
    path = Path(csv_path)
    if not path.exists():
        print("UNKNOWN")
        print(f"# error: file not found: {csv_path}", file=sys.stderr)
        return 2

    vulnerable = 0
    patched = 0
    unknown = 0

    with path.open(newline="", encoding="utf-8-sig") as fh:
        reader = csv.DictReader(fh)
        required = {"model", "version"}
        if not reader.fieldnames or not required.issubset(set(x.lower() for x in reader.fieldnames)):
            print("UNKNOWN")
            print("# error: CSV must include columns named model and version", file=sys.stderr)
            return 2

        # normalize column lookup
        fieldmap = {name.lower(): name for name in reader.fieldnames}

        for row in reader:
            model = row.get(fieldmap["model"], "")
            version = row.get(fieldmap["version"], "")
            result = classify(model, version)
            print(f"{model},{version},{result}")
            if result == "VULNERABLE":
                vulnerable += 1
            elif result == "PATCHED":
                patched += 1
            else:
                unknown += 1

    print(f"# summary: vulnerable={vulnerable} patched={patched} unknown={unknown}", file=sys.stderr)

    if vulnerable > 0:
        return 1
    if unknown > 0:
        return 2
    return 0


def main() -> int:
    parser = argparse.ArgumentParser(description="Check inventory exposure to CVE-2026-2873")
    parser.add_argument("--model", help="Device model, e.g. A21")
    parser.add_argument("--version", help="Firmware version, e.g. 1.0.0.0")
    parser.add_argument("--csv", help="CSV file with model,version columns")
    args = parser.parse_args()

    if args.csv:
        return csv_mode(args.csv)

    if args.model and args.version:
        return single_mode(args.model, args.version)

    print("UNKNOWN")
    print("# usage: --model A21 --version 1.0.0.0  OR  --csv inventory.csv", file=sys.stderr)
    return 2


if __name__ == "__main__":
    sys.exit(main())

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull your edge-network inventory and find every Tenda A21, especially branch, lab, and home-office gear. This is a MEDIUM call, so there is no noisgate mitigation SLA — go straight to the 365-day remediation window unless you discover WAN-exposed admin pages, in which case close that exposure immediately as an exception. Track the vendor support page for fixed firmware; if Tenda ships one, apply it inside the noisgate remediation SLA of ≤365 days. If no fix appears, plan replacement or permanent isolation before that window closes and document any internet-exposed A21s as priority exceptions.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.