Tenda Ac6 Firmware vulnerabilities

CVE-2026-8264 [LOW] CWE-77 CVE-2026-8264: A weakness has been identified in Tenda AC6 15.03.06.23. Affected by this vulnerability is the funct A weakness has been identified in Tenda AC6 15.03.06.23. Affected by this vulnerability is the function formWifiApScan of the file /goform/WifiApScan of the component httpd. Executing a manipulation of the argument wl2g.public.country/wl5g.public.country can lead to os command injection. It is possible to launch the attack remotely. The exploit has been m

CVE-2026-8259 [LOW] CWE-77 CVE-2026-8259: A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown func A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

CVE-2026-8265 [LOW] CWE-77 CVE-2026-8265: A security vulnerability has been detected in Tenda AC6 15.03.06.23. Affected by this issue is the f A security vulnerability has been detected in Tenda AC6 15.03.06.23. Affected by this issue is the function get_log_file of the file /goform/getLogFile of the component httpd. The manipulation of the argument wans.flag leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

CVE-2025-52221 [CRITICAL] CWE-787 CVE-2025-52221: Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the func Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the funcname, funcpara1, and funcpara2 parameters.

CVE-2026-4960 [HIGH] CWE-119 CVE-2026-4960: A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is the function fromWizardHandle o A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of the argument WANT/WANS can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be util

CVE-2026-4961 [HIGH] CWE-119 CVE-2026-4961: A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by this vulnerability is the funct A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly availa

CVE-2025-70252 [HIGH] CWE-121 CVE-2025-70252: An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and m An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.

CVE-2025-12225 [HIGH] CWE-119 CVE-2025-12225: A vulnerability has been found in Tenda AC6 15.03.06.50. This issue affects some unknown processing A vulnerability has been found in Tenda AC6 15.03.06.50. This issue affects some unknown processing of the file /goform/WifiGuestSet of the component HTTP Request Handler. Such manipulation of the argument shareSpeed leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-60341 [HIGH] CWE-787 CVE-2025-60341: Tenda AC6 V2.0 15.03.06.50 was discovered to contain a stack overflow in the ssid parameter in the f Tenda AC6 V2.0 15.03.06.50 was discovered to contain a stack overflow in the ssid parameter in the fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-60337 [HIGH] CWE-787 CVE-2025-60337: Tenda AC6 V2.0 15.03.06.50 was discovered to contain a buffer overflow in the speed_dir parameter in Tenda AC6 V2.0 15.03.06.50 was discovered to contain a buffer overflow in the speed_dir parameter in the SetSpeedWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-60340 [HIGH] CWE-120 CVE-2025-60340: Multiple buffer overflows in the SetClientState function of Tenda AC6 v.15.03.06.50 allows attackers Multiple buffer overflows in the SetClientState function of Tenda AC6 v.15.03.06.50 allows attackers to cause a Denial of Service (DoS) via injecting a crafted payload into the limitSpeed, deviceId, and limitSpeedUp parameters.

CVE-2025-60338 [HIGH] CWE-787 CVE-2025-60338: Tenda AC6 V2.0 15.03.06.50 was discovered to contain a stack overflow in the page parameter in the D Tenda AC6 V2.0 15.03.06.50 was discovered to contain a stack overflow in the page parameter in the DhcpListClient function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-60343 [HIGH] CWE-120 CVE-2025-60343: Multiple buffer overflows in the AdvSetMacMtuWan function of Tenda AC6 v.15.03.06.50 allows attacker Multiple buffer overflows in the AdvSetMacMtuWan function of Tenda AC6 v.15.03.06.50 allows attackers to cause a Denial of Service (DoS) via injecting a crafted payload into the wanMTU, wanSpeed, cloneType, mac, serviceName, serverName, wanMTU2, wanSpeed2, cloneType2, mac2, serviceName2, and serverName2 parameters.

CVE-2025-60339 [HIGH] CWE-787 CVE-2025-60339: Multiple buffer overflow vulnerabilities in the openSchedWifi function of Tenda AC6 v.15.03.06.50 al Multiple buffer overflow vulnerabilities in the openSchedWifi function of Tenda AC6 v.15.03.06.50 allows attackers to cause a Denial of Service (DoS) via injecting a crafted payload into the schedStartTime and schedEndTime parameters.

CVE-2025-60342 [HIGH] CWE-787 CVE-2025-60342: Tenda AC6 V2.0 15.03.06.50 was discovered to contain a stack overflow in the page parameter in the a Tenda AC6 V2.0 15.03.06.50 was discovered to contain a stack overflow in the page parameter in the addressNat function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

CVE-2025-57528 [HIGH] CWE-20 CVE-2025-57528: An issue was discovered in Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01 allowing attackers to caus An issue was discovered in Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01 allowing attackers to cause a denial of service via the funcname, funcpara1, funcpara2 parameters to the formSetCfm function (uri path: SetCfm).

CVE-2025-57296 [MEDIUM] CWE-77 CVE-2025-57296: Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without val

CVE-2025-55495 [MEDIUM] CWE-120 CVE-2025-55495: Tenda AC6 V15.03.06.23_multi was discovered to contain a buffer overflow via the list parameter in t Tenda AC6 V15.03.06.23_multi was discovered to contain a buffer overflow via the list parameter in the fromSetIpMacBind function.

CVE-2025-27129 [CRITICAL] CWE-288 CVE-2025-27129: An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.

CVE-2025-32010 [CRITICAL] CWE-121 CVE-2025-32010: A stack-based buffer overflow vulnerability exists in the Cloud API functionality of Tenda AC6 V5.0 A stack-based buffer overflow vulnerability exists in the Cloud API functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability.