← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-2877 · CWE-119 · Disclosed 2026-02-21

A vulnerability has been found in Tenda A18 15

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a razor blade taped behind the breaker panel, not a landmine in the parking lot

CVE-2026-2877 is a stack-based buffer overflow in the Tenda A18 httpd service, specifically the /goform/WifiExtraSet path handling the wpapsk_crypto5g parameter. Public reversing shows the request reaches fromSetWirelessRepeat, then copies attacker-controlled data into a 16-byte stack buffer with strcpy, creating a crash path and possible code-execution path. The affected version reported by NVD/CPE is Tenda A18 firmware 15.13.07.13.

The vendor's HIGH 8.8 score is technically defensible in a lab because memory corruption on a network appliance can be ugly. In enterprise reality, it overstates urgency: the attack is not unauthenticated internet RCE. The product is a consumer Wi-Fi extender, the management flow is normally reached only after connecting to the extender's local Wi-Fi or LAN admin plane, the CVSS vector itself requires low privileges, and the product line appears EOL with no clear fixed V1.0 firmware published.

"Real bug, real DoS/RCE potential, but it is mostly a post-connectivity admin-plane issue on an EOL consumer extender"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the extender admin plane

The attacker first has to get to the A18 management interface, typically via the local extender network and re.tenda.cn or the device IP. Vendor setup docs show the configuration page is intended to be opened only after the user connects to the A18 wireless network or local side of the device. Tooling here is trivial: a browser, curl, or the Python requests PoC path shown in the public GitHub issue.
Conditions required:
  • A Tenda A18 is actually deployed
  • The attacker can reach the management interface over local Wi-Fi/LAN or an unusually exposed remote admin path
  • The device is running firmware 15.13.07.13
Where this breaks in practice:
  • This is usually not internet-exposed; reaching it often implies local network presence or physical/adjacent proximity
  • Many enterprises simply do not deploy this consumer extender class at all
  • Branch/home users may replace or isolate these devices before an attacker ever sees them
Detection/coverage: External vuln scanners will miss a lot of these because exposure is typically on the local management plane, not a public edge service. Asset discovery is more important than perimeter scanning.
STEP 02

Authenticate to the web UI

The published repro logs in at /login/Auth before sending the malicious POST. That matches the CVSS PR:L requirement: this is an authenticated admin-plane bug, not a no-auth smash-the-edge bug. Weaponized tool in public view is a simple Python requests script embedded in GitHub issue #39.
Conditions required:
  • Valid admin credentials, default/weak credentials, or prior access to the saved admin password
  • The management UI has not been locked behind stronger local controls
Where this breaks in practice:
  • A configured login password stops opportunistic drive-by abuse
  • MFA does not exist here, but WPA/WPA2 plus admin password still creates real gating
  • Credential theft is a separate attack stage and meaningfully lowers reachable population
Detection/coverage: Watch for POST /login/Auth followed by immediate POST /goform/WifiExtraSet from unusual clients. Few commercial scanners advertise deep authenticated coverage for this exact embedded UI.
STEP 03

Trigger the overflow in WifiExtraSet

The attacker submits configured5g=true and an oversized wpapsk_crypto5g value to /goform/WifiExtraSet. Public reverse engineering shows the request hits set_repeat5, where strcpy copies the attacker string into a 16-byte stack buffer. The disclosed PoC uses a very large POST body to drive the crash path.
Conditions required:
  • The 5 GHz configuration path is reachable
  • The vulnerable handler and function are present in firmware 15.13.07.13
  • Request parsing accepts the crafted body
Where this breaks in practice:
  • Embedded targets are often unstable under large-input testing, so many actors will settle for DoS instead of reliable RCE
  • Exploit reliability for code execution is not demonstrated publicly in a polished framework
  • Any inline IPS tuned for oversized suspicious form posts may break the request if management is traversing a monitored segment
Detection/coverage: HTTP telemetry can spot abnormally large POST bodies to /goform/WifiExtraSet and repeated crashes/reboots. Signature coverage is likely bespoke, not universal.
STEP 04

Crash httpd or seize the extender

The lowest-confidence but plausible end state is arbitrary code execution in the httpd context; the demonstrated outcome is at least device crash/DoS. On a small extender, compromise gives local traffic observation/manipulation opportunities and a foothold on that micro-segment, but it does not magically become domain-wide compromise by itself.
Conditions required:
  • The overflow is exploitable beyond a crash on the target build
  • The attacker can tolerate device instability or forced reboot
Where this breaks in practice:
  • Consumer embedded exploitation can be architecture-specific and brittle
  • Blast radius is generally one extender or one tiny branch/home segment
  • EDR is absent on the appliance, but enterprise impact is still bounded by what this device actually sits in front of
Detection/coverage: Look for extender reboots, disappearing SSIDs, config resets, and sudden management-plane logins from atypical clients. Network monitoring can catch the precursor requests better than endpoint tooling.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found in the sources reviewed. Not in CISA KEV and no campaign reporting located.
Public PoCYes. GitHub issue master-abc/cve #39 includes reverse engineering notes and a Python requests repro that logs in and posts to /goform/WifiExtraSet.
EPSSLow. CVEDetails currently shows about 0.08% EPSS and roughly the 23rd percentile; your supplied value 0.00101 points the same direction: this is not trending like a hot exploitation target.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities catalog page reviewed.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H bakes in PR:L. That matters: this is already telling you the attacker needs some level of authenticated access, which is major downward pressure in real environments.
Affected versionsNVD/CPE and the public advisory trail point to Tenda A18 firmware 15.13.07.13. I did not find evidence that A18 V2/V3/V4 firmware trains are included in this CVE.
Fixed versionNo authoritative fixed V1.0 firmware was located. Tenda's support page still exposes A18V1.0 Firmware V15.13.07.13, and the product search page marks the A18 line EOL.
Exposure realityVendor docs show setup/admin is reached after connecting to the extender Wi-Fi and browsing to re.tenda.cn. Inference: most real exposure is local/adjacent admin-plane access, not broad public internet reach.
DisclosurePublished 2026-02-21 in NVD, sourced from VulDB.
Researcher / reporting trailThe public issue credits USTC_BUG_Hunter / GitHub user 942384053. CNA/source in NVD is VulDB.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.6/10)

The decisive factor is attacker position: this bug requires access to a usually local-only extender management plane plus authenticated admin-level interaction. That sharply narrows the reachable population and makes this much closer to a post-connectivity appliance compromise than an internet-scale emergency.

HIGH Downgrade from vendor HIGH based on `PR:L` and local-management exposure model
MEDIUM Technical impact can plausibly reach RCE, but public evidence more clearly demonstrates crash/DoS than reliable weaponized takeover
MEDIUM No fixed-version certainty for A18 V1.0; vendor patch status appears poor/EOL

Why this verdict

  • Requires authenticated access: the published repro logs in first and CVSS already says PR:L, which cuts out the huge class of unauthenticated smash-and-grab attacks
  • Usually local/adjacent exposure: Tenda's own setup flow assumes the operator is connected to the A18 Wi-Fi/LAN and browses to re.tenda.cn; that implies post-connectivity reach, not broad edge exposure
  • Low exploitation pressure: no KEV listing, no public campaign reporting, and low EPSS all push this down from emergency status
  • Narrow platform and blast radius: this is one consumer extender model/firmware line, not a ubiquitous enterprise control plane with domain-wide consequences
  • EOL amplifies remediation pain, not attacker scale: support weakness makes ownership annoying, but it does not by itself convert a gated local/admin bug into a critical internet event

Why not higher?

Because this is not the classic thing that ruins your weekend at scale: there is no evidence here of unauthenticated public-edge exploitation against a widely exposed enterprise service. The chain depends on prior reachability to a usually local admin plane and low-privilege authentication, which compounds downward pressure on real-world abuse potential.

Why not lower?

It is still memory corruption in network appliance firmware, with public reproduction and plausible code-execution impact. If you actually have these at branches, labs, warehouses, or home-office edge environments, compromise of the device can still enable traffic tampering, persistence on that segment, or service disruption.

05 · Compensating Control

What to do — in priority order.

  1. Inventory every A18 immediately — Find out whether A18 V1.0 / 15.13.07.13 exists anywhere in branch, lab, warehouse, or employee home-office kits. For a MEDIUM verdict there is no mitigation SLA, but you should identify exposure now so the device does not sit invisible until the 365-day remediation window.
  2. Block management from untrusted networks — Restrict access to the extender web UI so only a small admin subnet or direct local maintenance path can reach it. Even without a formal mitigation deadline for MEDIUM, this is the fastest way to remove the attacker-position advantage.
  3. Set a strong local admin password — This CVE already requires authenticated access, so removing defaults and weak shared passwords meaningfully reduces reachable abuse. Apply wherever the device is still in service; do it during the next local touch if the unit cannot be centrally managed.
  4. Retire EOL consumer gear — The A18 line appears EOL and I found no authoritative fixed V1.0 firmware. Treat replacement as the clean remediation path rather than waiting for a patch that may never land; complete within the MEDIUM remediation window.
  5. Monitor for admin POST abuse — Alert on unusual POST /login/Auth followed by large POST /goform/WifiExtraSet bodies from non-admin hosts. This helps catch exploit attempts in the handful of places where these appliances are still reachable.
What doesn't work
  • A WAF usually does nothing here because the management UI is commonly local-only and not traversing your normal web protection stack
  • EDR on laptops/servers does not protect the extender itself; the vulnerable code runs on the embedded appliance
  • Relying on internet perimeter scanning misses the main problem because many of these devices are reachable only from local Wi-Fi/LAN
  • Changing upstream router settings alone does not fix the vulnerable httpd handler on the extender
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation on the same local network/Wi-Fi segment as the suspected Tenda A18. Invoke it as bash check_cve_2026_2877.sh http://192.168.0.254 or bash check_cve_2026_2877.sh http://re.tenda.cn admin YourPassword if you want it to attempt authenticated checks; no root is required, but the workstation must be able to reach the device over HTTP.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_2877.sh
# Best-effort verifier for CVE-2026-2877 on Tenda A18.
# Outputs one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=VULNERABLE, 1=PATCHED, 2=UNKNOWN, 3=usage/error

set -u

if [[ $# -lt 1 || $# -gt 3 ]]; then
  echo "Usage: $0 <base_url> [username] [password]"
  exit 3
fi

BASE_URL="${1%/}"
USER="${2:-}"
PASS="${3:-}"
TMPDIR="$(mktemp -d)"
COOKIE_JAR="$TMPDIR/cookies.txt"
BODY="$TMPDIR/body.txt"
trap 'rm -rf "$TMPDIR"' EXIT

fetch() {
  local url="$1"
  curl -ksS -L --max-time 8 -c "$COOKIE_JAR" -b "$COOKIE_JAR" "$url" 2>/dev/null || true
}

post_form() {
  local url="$1"
  local data="$2"
  curl -ksS -L --max-time 8 -c "$COOKIE_JAR" -b "$COOKIE_JAR" -X POST -d "$data" "$url" 2>/dev/null || true
}

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

md5hex() {
  local s="$1"
  if have_cmd md5sum; then
    printf "%s" "$s" | md5sum | awk '{print $1}'
  elif have_cmd md5; then
    printf "%s" "$s" | md5 | awk '{print $NF}'
  elif have_cmd openssl; then
    printf "%s" "$s" | openssl md5 | awk '{print $NF}'
  else
    return 1
  fi
}

contains_a18_markers() {
  grep -Eiq '(Tenda|A18|re\.tenda\.cn|Tenda_EXT)' "$BODY"
}

extract_versions() {
  grep -Eo 'V[0-9]{2}\.[0-9]{2}\.[0-9]{2}\.[0-9]{2,3}|15\.13\.07\.13|02\.03\.01\.[0-9]+' "$BODY" | sort -u
}

classify_from_body() {
  if ! contains_a18_markers; then
    return 10
  fi

  local versions
  versions="$(extract_versions || true)"

  if echo "$versions" | grep -qx '15\.13\.07\.13'; then
    echo "VULNERABLE"
    exit 0
  fi

  if grep -Eiq 'A18[[:space:]]*V(2\.0|3\.0|4\.0)|A18 Pro|V02\.03\.' "$BODY"; then
    echo "PATCHED"
    exit 1
  fi

  return 11
}

# 1) Unauthenticated discovery pass
for path in / /index.html /login.html /wizard.html /status.html; do
  fetch "$BASE_URL$path" > "$BODY"
  if [[ -s "$BODY" ]]; then
    classify_from_body || true
  fi
done

# 2) Optional authenticated pass using the public login pattern from the disclosed repro
if [[ -n "$USER" && -n "$PASS" ]]; then
  if PASSMD5="$(md5hex "$PASS")"; then
    post_form "$BASE_URL/login/Auth" "username=$USER&password=$PASSMD5" > /dev/null
    for path in / /index.html /status.html /overview.html /advance.html /wireless.html; do
      fetch "$BASE_URL$path" > "$BODY"
      if [[ -s "$BODY" ]]; then
        classify_from_body || true
      fi
    done
  fi
fi

# 3) Final heuristic: if it looks like a Tenda admin UI but we cannot prove firmware/hardware revision
fetch "$BASE_URL/" > "$BODY"
if contains_a18_markers; then
  echo "UNKNOWN"
  exit 2
fi

echo "UNKNOWN"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this like an internet-wide fire drill; treat it like consumer network gear cleanup. Use your CMDB, NAC, wireless inventories, and branch/home-office exception lists to find any Tenda A18 V1.0 units, restrict their management reachability where they still exist, and plan replacement because I found no authoritative fixed V1.0 firmware and the line appears EOL. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; that means document exposure now, remove unnecessary admin reachability during normal ops, and complete retirement/replacement within the noisgate remediation SLA of 365 days.

Sources

  1. NVD entry for CVE-2026-2877
  2. Public reversing and reproduction issue
  3. Tenda A18 support/download page
  4. Tenda A18 setup guide showing local `re.tenda.cn` management flow
  5. Tenda A18 Chinese FAQ showing local admin access flow
  6. Tenda search page marking A18 line EOL
  7. CISA Known Exploited Vulnerabilities catalog
  8. CVEDetails entry with EPSS and reference aggregation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.