eastbaycyber

CVE-2026-11504: Tenda CX12L Wi-Fi Schedule Vulnerability

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-08
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-11504
CVSS score 8.8 (High)
Attack vector Remote
Auth required Unknown from available primary data; defenders should not assume strong protection
Patch status No official fixed version confirmed from retrievable primary sources

TL;DR - Tenda CX12L firmware 16.03.53.12 is affected by a remote stack-based buffer overflow in /goform/openSchedWifi. - Inputs schedStartTime and schedEndTime are implicated; public exploit availability is noted by NVD. - Upgrade guidance is unconfirmed, so restrict exposure and monitor immediately.

Vulnerability at a glance

CVE-2026-11504 is a high-severity stack-based buffer overflow affecting the Tenda CX12L router, with the affected version confirmed as firmware 16.03.53.12. The vulnerable component is the Wi-Fi Schedule Configuration Endpoint, specifically the setSchedWifi function exposed through /goform/openSchedWifi. According to the NVD description, manipulation of the schedStartTime or schedEndTime arguments can trigger the flaw.

For defenders, the important operational point is that the issue is described as remotely exploitable and that the NVD record explicitly states a public exploit exists and may be used. That combination matters more than the score alone. A router administration surface with remotely reachable input handling bugs can expose branch offices, home-office deployments, and unmanaged edge locations where patch governance is often weak.

What this vulnerability is

The root cause, based on the published description, is improper handling of user-supplied input passed into schedStartTime and schedEndTime. The vulnerability class is a stack-based buffer overflow, which typically indicates the application copies attacker-controlled data into a fixed-size stack buffer without adequate bounds checking. In embedded web interfaces, these bugs can lead to service crashes, device instability, or potentially arbitrary code execution, though code execution has not been independently confirmed from the source material available here.

The vulnerable path is identified with unusual specificity for a public CVE entry: function setSchedWifi, file path /goform/openSchedWifi, component Wi-Fi Schedule Configuration Endpoint. That level of detail is useful for triage because it tells defenders where to focus monitoring, access control, and reverse-engineering effort. It also suggests the attack is likely delivered through an HTTP request to the router’s web administration interface rather than through Wi-Fi traffic itself.

Technical Notes

A request pattern defenders should pay attention to is any call into the affected endpoint containing abnormally long values for schedStartTime or schedEndTime. Because the exact exploit payload has not been verified from a retrievable primary source, do not assume a single static signature will be sufficient. Instead, look for oversized parameters, malformed schedule values, or repeated requests against the same endpoint.

POST /goform/openSchedWifi HTTP/1.1
Host: <router-ip>
Content-Type: application/x-www-form-urlencoded

schedStartTime=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&schedEndTime=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

A normal schedule value would usually be compact and time-like, not hundreds of characters long. Any long-form input to these fields should be considered suspicious until disproven.

AnalystImpact · assess the risk

Who is affected

The only confirmed affected version from the available research is Tenda CX12L firmware 16.03.53.12. That means defenders should immediately inventory for this exact model and firmware revision rather than extrapolating across the entire Tenda product line. Similar firmware branches may also be at risk, but there is not enough verified evidence here to say that confidently without inventing coverage.

The vulnerable component is the Wi-Fi Schedule Configuration Endpoint, with exposure tied to the administrative web interface. In practice, risk is highest where the router UI is reachable from untrusted networks, exposed over WAN management, forwarded through remote administration rules, or accessible from guest or flat internal segments. Even if the endpoint is intended to require authentication, the available primary data does not confirm the exact privilege requirements or whether access controls meaningfully reduce exploitability in deployed environments.

Technical Notes

To identify potentially affected systems, collect model and firmware details directly from devices or management tooling. For environments using ad hoc router administration, defenders may need to query the device web UI manually or inspect exported configuration and inventory records.

# Example workflow for asset inventory documentation
# Replace with your actual management method or CMDB update process.
echo "Model: Tenda CX12L" >> tenda_inventory.txt
echo "Firmware: 16.03.53.12" >> tenda_inventory.txt
echo "Status: Potentially vulnerable to CVE-2026-11504" >> tenda_inventory.txt

If you cannot confirm firmware version quickly, treat internet-exposed CX12L systems as higher risk until validated. The absence of version certainty should bias toward containment, not delay.

CVSS and attack context

The CVSS base score is 8.8, which places the issue in the High severity range. However, the exact CVSS vector string was not available from the retrieved tool output, so it would be inappropriate to assert the full metric set. This matters because practitioners often use the vector to distinguish between unauthenticated network attacks and authenticated administrative flaws. Here, only the score and remote attackability are confirmed.

In the absence of the full vector, defenders should focus on the facts that are established: remote exploitability, stack-based overflow behavior, and public exploit availability noted by NVD. Those three facts justify urgent review even without KEV inclusion. A router flaw on an edge device can have outsized impact because compromise may enable traffic interception, lateral movement staging, DNS tampering, or persistent footholds at locations where EDR visibility is limited.

Exploitation status

Public exploit availability is the clearest exploitation-related fact in the current record. The NVD description states that “The exploit is now public and may be used.” In addition, a GitHub issue is referenced in the CVE record: https://github.com/cve-a/moist/issues/2. While the issue content could not be directly verified from the fetched output, the reference supports the conclusion that public disclosure or exploit discussion exists.

What is not confirmed is active exploitation in the wild. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, and no primary source in the retrieved material confirms observed attacks against real-world targets. So the most defensible statement is: a public PoC or exploit discussion appears to exist, but in-the-wild exploitation is not confirmed from available primary sources. Defenders should still assume opportunistic scanning is plausible once exploit details are public.

What defenders should do next

First, identify whether any Tenda CX12L devices are running firmware 16.03.53.12. This CVE is specific enough that fast inventory can substantially reduce uncertainty. Prioritize devices with internet-exposed administration interfaces, branch routers, and unmanaged SMB edge deployments. If you cannot determine exposure quickly, default to restricting administrative access.

Second, establish a watch for suspicious requests to /goform/openSchedWifi and correlate them with router instability. Even if exploitation in the wild is not confirmed, public exploit availability raises the likelihood of copycat scanning and opportunistic abuse. If your environment lacks sufficient edge logging, consider temporary network telemetry collection or replacing vulnerable devices with equipment that supports centralized administration and monitoring.

ResponderRunbook · act now

How to detect it

Detection should focus on HTTP requests to /goform/openSchedWifi, particularly those carrying oversized or malformed values in schedStartTime and schedEndTime. If you collect router web logs, reverse proxy logs, or SPAN/PCAP data from branch environments, build analytics around requests to that path. Repeated probing, long parameter lengths, and sequences followed by service restarts are all high-signal indicators.

A second detection angle is device health and availability. Embedded stack overflows often present first as crashes, watchdog resets, web UI lockups, or unexplained reboot events. If the router begins restarting around the same time requests hit /goform/openSchedWifi, treat that as potential exploit activity, even if you do not yet have a payload-level signature. Absence of rich logs on consumer or SMB routers means indirect evidence often matters most.

Technical Notes

Example web or reverse-proxy pattern to search for:

/openSchedWifi
schedStartTime=
schedEndTime=
POST /goform/openSchedWifi

Example Splunk-style search for suspicious requests with long parameter values:

index=network OR index=proxy
("POST /goform/openSchedWifi" OR "/goform/openSchedWifi")
| rex field=_raw "schedStartTime=(?<schedStartTime>[^&\\s]+)"
| rex field=_raw "schedEndTime=(?<schedEndTime>[^&\\s]+)"
| eval start_len=len(urldecode(schedStartTime)), end_len=len(urldecode(schedEndTime))
| where start_len > 16 OR end_len > 16
| table _time, src_ip, dest_ip, http_method, uri_path, start_len, end_len

Example Suricata-style HTTP signature concept for tuning in a lab before production deployment:

alert http $EXTERNAL_NET any -> $HOME_NET any (
  msg:"Possible CVE-2026-11504 exploit attempt";
  flow:to_server,established;
  http.uri; content:"/goform/openSchedWifi";
  http.request_body; content:"schedStartTime=";
  pcre:"/sched(Start|End)Time=[^&]{17,}/";
  sid:2026115041; rev:1;
)

Thresholds should be tuned to your environment. Since valid time values are normally short, very long values are a practical anomaly signal.

Mitigation and patching

At the time of writing, no official patched or fixed version has been confirmed from retrievable primary sources. The only confirmed affected version is 16.03.53.12. There are indications that other firmware versions may exist, including references seen in search results to V16.03.53.23, but that version could not be directly validated as a CX12L release or as the security fix for this CVE. Therefore, it would be irresponsible to present it as the fixed version.

In the absence of a verified patch, mitigation should prioritize exposure reduction. Disable remote administration from the internet, restrict management access to a dedicated admin VLAN, permit access only from known management hosts, and monitor for requests to the vulnerable endpoint. If the device supports ACLs or firewall rules for the administration interface, use them. If it does not, place the management surface behind upstream filtering. For higher-risk deployments, replacement or temporary removal may be justified until Tenda confirms remediation.

Technical Notes

Because no verified fixed firmware version is available, there is no trustworthy upgrade command to provide for a confirmed patch. If your environment has already obtained a newer vendor image through authenticated support channels, validate that the image is explicitly documented for Tenda CX12L and that it references CVE-2026-11504 before deployment.

For immediate containment, block access to the admin UI from untrusted networks. Example upstream firewall controls:

# Example Linux gateway rule to block external access to router admin UI
iptables -A FORWARD -p tcp -d <router-ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -j DROP

If the router exposes a local shell or configuration system and you can disable remote web administration, document and execute that change through your normal process. Where the only available management path is the web UI, ensure access is limited to a jump host or isolated management subnet until a verified firmware fix is available.

References

Primary and supporting references for this article:

Source Notes
NVD entry for CVE-2026-11504 Confirms affected product/version, vulnerable endpoint/function, remote exploitability, public exploit statement, CVSS 8.8
CISA KEV lookup CVE-2026-11504 is not listed in KEV at time of writing
CVE.org record Canonical CVE reference
GitHub reference: https://github.com/cve-a/moist/issues/2 Referenced by CVE record; suggests public technical discussion or PoC presence
VulDB reference: https://vuldb.com/cve/CVE-2026-11504 Referenced by CVE record, but content was not directly verifiable from available retrieval

The bottom line: CVE-2026-11504 affects Tenda CX12L firmware 16.03.53.12, is remotely reachable through /goform/openSchedWifi, and has public exploit availability indicated by NVD. A fixed version is not yet confirmed from retrievable primary sources, so defenders should focus now on exposure reduction, targeted monitoring, and validated vendor follow-up.

For further reading on related topics, check out our articles on what is K-anonymity and the difference between SOC and NOC.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-08

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.