CVE-2026-0640 in AC23
Summary
by MITRE • 01/06/2026
A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/15/2026
The vulnerability CVE-2026-0640 represents a critical buffer overflow weakness in Tenda AC23 router firmware version 16.03.07.52 that resides within the PowerSaveSet functionality. This issue manifests in the sscanf function call within the /goform/PowerSaveSet file, where improper input validation allows attackers to manipulate the Time argument parameter. The flaw stems from insufficient bounds checking during string parsing operations, creating a condition where user-supplied data can exceed the allocated buffer space. The vulnerability is particularly concerning as it enables remote code execution through a web-based interface, making it accessible to attackers without physical access to the device. The attack vector operates through the web form interface that processes power saving settings, where the Time parameter is directly fed into the vulnerable sscanf function without adequate sanitization or length verification.
The technical exploitation of this vulnerability follows a classic buffer overflow pattern that aligns with CWE-121, which describes stack-based buffer overflow conditions. The flaw occurs when the sscanf function processes user-controllable input from the Time parameter, which is typically expected to contain time format specifications but can instead contain maliciously crafted data. When the input exceeds the predefined buffer limits, it overflows into adjacent memory regions, potentially corrupting program execution flow. The remote nature of this vulnerability means that attackers can leverage web-based exploitation techniques to reach the affected device through standard network protocols. The availability of public exploits for this vulnerability significantly increases the risk profile, as it removes the barrier to entry for potential attackers who may not possess advanced exploitation skills.
The operational impact of CVE-2026-0640 extends beyond simple denial of service to encompass full system compromise and potential lateral movement within network environments. Once exploited, attackers can gain unauthorized access to the router's administrative interface, potentially enabling them to modify network configurations, redirect traffic, or establish persistent backdoors. The vulnerability affects the device's core functionality since PowerSaveSet operations are fundamental to router management, making the exploitation particularly disruptive to network operations. From an attack framework perspective, this vulnerability maps to multiple ATT&CK techniques including T1059 for command execution, T1071 for application layer protocols, and T1190 for exploitation of remote services. The router's web interface serves as the primary attack surface, and successful exploitation could lead to broader network compromise as routers often serve as gateway points for internal network access.
Mitigation strategies for CVE-2026-0640 should prioritize immediate firmware updates from Tenda, as this represents the most effective defense against the known vulnerability. Network administrators should implement network segmentation to limit potential lateral movement if exploitation occurs, while also monitoring for suspicious web traffic patterns or unauthorized configuration changes. The implementation of web application firewalls can help detect and block malicious requests targeting the vulnerable PowerSaveSet endpoint. Additionally, disabling unnecessary web management interfaces and restricting access to administrative functions through network access control lists provides additional defense layers. Security monitoring should focus on detecting abnormal usage patterns in power management settings, as well as tracking unauthorized access attempts to the router's administrative interface. The vulnerability highlights the importance of input validation and proper buffer management in embedded systems, with recommendations to implement proper bounds checking and use safer string handling functions to prevent similar issues in future development cycles.