External risk intelligence

Tenda AC7 Stack Buffer Overflow in AdvSetMacMtuWan Interface

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-51845

This vulnerability affects a consumer router, which is designed to be an internet-facing gateway device. The affected interface is part of the router's management or configuration logic, which is commonly accessible and intended for network-based interaction in standard deployments.

Buffer Overflow

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Tenda AC7 routers, specifically within the interface responsible for configuring WAN MTU settings. This flaw could allow unauthorized access and control over the affected devices, posing a risk to network integrity and data security. The primary concern is to determine if this type of device is deployed within our environment and to what extent.

  • Router vulnerability allows unauthorized control.
  • Critical flaw impacts internet-facing devices.
  • Confirm exposure and relevance within our network.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request over the network to the router's management interface. This request would target the `/goform/AdvSetMacMtuWan` endpoint and specifically manipulate the `mac` parameter. If successful, this could lead to a stack buffer overflow, potentially allowing the attacker to execute arbitrary code or cause a denial of service.

  • No authentication or user interaction needed.
  • Affected interface and parameter allow remote triggering.
  • Risk of code execution or denial of service.

Live Threat

Current exploitation, exposure, and threat context

A stack buffer overflow in the /goform/AdvSetMacMtuWan interface could allow an unauthenticated attacker to remotely execute arbitrary code on the device. This could impact the device's availability and integrity when the affected interface is accessible over the network.

  • Router code execution.
  • Malicious input to mac parameter.
  • Loss of device functionality.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability affects Tenda AC7 consumer routers, posing a significant risk due to its internet-facing nature. Initial triage should focus on identifying all deployed instances, confirming network reachability and business criticality, and then locating the accountable owner. Remediation planning should be risk-based, considering factors like exposure and potential impact.

  • Identify deployed routers and accountable owners.
  • Verify network reachability and business criticality.
  • Plan risk-based remediation and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Tenda AC7 router?

The Tenda AC7 is a consumer-grade wireless router designed to manage home or small office internet connectivity. It functions as the central gateway for devices on a network, handling traffic routing and configuration via internal management interfaces.

What does CWE-121 mean for CVE-2026-51845?

CWE-121 identifies a stack-based buffer overflow. In the context of CVE-2026-51845, this means the router's software fails to properly check the size of data sent to the 'mac' parameter before storing it. When an attacker sends input that exceeds the allocated memory space, it can overwrite adjacent memory, potentially leading to unauthorized code execution or system instability.

How is this Tenda AC7 vulnerability triggered?

The flaw is triggered by sending a malformed request to the '/goform/AdvSetMacMtuWan' interface specifically targeting the 'mac' parameter. Because this interface is part of the router's management logic, the vulnerability is triggered by network-based input alone; it does not require an attacker to have a pre-existing account, administrative credentials, or any physical interaction with the device.

Do I need to worry about this CVE if my device is internal?

Halo Surface Signal notes that this is an internet-facing gateway device. While the primary risk involves access from the public internet, any device reachable over the network can be targeted. You should evaluate if your specific Tenda AC7 unit allows management access from the WAN or if it is isolated to the local network, as reachability dictates the immediate risk level.

Is there a first step to take for Tenda AC7 routers?

Your first step is to perform an inventory of your environment to locate any Tenda AC7 devices in use. Once identified, confirm which ones are reachable over your network and assign responsibility for these assets to the appropriate team. This triage process allows you to prioritize the devices that present the highest risk while you wait for further guidance on security updates.

References