If you have a Tenda HG3 router sitting in your home or office, a stranger on the internet could right now — without knowing your password or even knocking on your network's front door — take complete control of every device connected to it.
Who Is at Risk — and How Many People Are We Talking About?
Tenda is one of the world's best-selling router brands, particularly dominant in Asia, Eastern Europe, and across developing markets where affordable home networking hardware is in high demand. The HG3 is a widely deployed residential gateway — the box your internet provider may have handed you, or that you picked up at a local electronics shop for under $40. Security researchers have identified this model in millions of homes and small businesses globally. When a flaw this severe hits hardware this common, the blast radius isn't measured in thousands of affected users. It's measured in potentially millions of households whose smart TVs, laptops, phones, baby monitors, and work computers all trust that router with their most sensitive traffic.
This isn't a theoretical lab exercise. The exploit code has already been publicly disclosed — meaning anyone with moderate technical skill and a search engine can find working instructions for pulling this attack off today.
What Can an Attacker Actually Do to You?
Picture your router as a security guard standing at the entrance of your home network. Every piece of data leaving your laptop — your bank login, your work emails, your kids' school portal — passes through this guard first. Normally, the guard checks credentials and only lets authorized traffic through. Now imagine someone figures out a magic phrase that causes the guard to completely black out and hand over their master key. That's essentially what this vulnerability enables.
The attack works by sending a specially crafted request to a specific configuration page built into the router — one designed to handle network routing settings. By stuffing that request with far more data than the router expects in a particular field, an attacker causes the router's memory to overflow and spill into areas it shouldn't touch. When that happens correctly, the attacker's own instructions get loaded into memory and executed with full administrative authority. From that point, the attacker owns the device entirely. They can reroute your internet traffic through their own servers, intercept unencrypted communications, block your access to legitimate websites, install persistent malware that survives reboots, and use your router as a launchpad to attack other devices on your network or elsewhere on the internet.
What makes this especially alarming is that the attacker doesn't need to be anywhere near you. This is a fully remote attack. If your router's management interface is exposed to the internet — which is more common than most people realize, especially with ISP-provisioned hardware — someone sitting in another country can execute this attack in seconds. Even on networks that aren't directly exposed, an attacker who has compromised any single device inside your network (say, through a phishing email) can pivot to the router immediately.
The Technical Detail Security Professionals Need to Know
The vulnerability resides specifically in the formUploadConfig function within the file /boaform/formIPv6Routing on the Tenda HG3 version 2.0 firmware. The attack vector is a classic stack-based buffer overflow triggered by manipulating the destNet argument — an input field intended to accept an IPv6 destination network address. There is no input length validation on this parameter. By supplying an oversized string, an attacker overwrites the stack frame, gains control of the instruction pointer, and achieves arbitrary remote code execution (RCE) with the process's privilege level — which on embedded routers typically means root. The vulnerability has been assigned CVE-2026-7151 and carries a CVSS score of 8.8 (HIGH), reflecting its low attack complexity, no required privileges, and no user interaction needed to exploit it.
How Was This Discovered — and Has Anyone Been Attacked Yet?
The vulnerability was surfaced and publicly documented by independent security researchers, with the full technical write-up and proof-of-concept exploit code released to the public simultaneously with disclosure. This is a double-edged sword: transparency helps defenders understand and patch urgently, but it also hands a working weapon to every malicious actor paying attention.
As of publication, no confirmed active exploitation campaigns have been attributed to this specific CVE in the wild. However, the security community's experience with similar router vulnerabilities — particularly those affecting popular consumer hardware from vendors like TP-Link, Netgear, and D-Link — is sobering. Flaws of this nature are typically weaponized within days to weeks of public disclosure, often folded into botnet recruitment operations like Mirai variants that scan the entire internet looking for vulnerable devices around the clock. The window to act before this becomes a mass exploitation event is narrow.
Tenda has not issued a public statement or confirmed patch timeline at the time of writing. We have reached out for comment and will update this article when a response is received.
What You Should Do Right Now — Three Concrete Steps
These apply whether you're a home user or managing a fleet of these devices in a business environment:
-
Check your firmware version immediately. Log into your Tenda HG3 admin panel (typically at
192.168.0.1or192.168.1.1) and navigate to System Tools → Firmware Version. If you are running HG3 firmware version 2.0, you are vulnerable. Check Tenda's official support page at tendacn.com for any firmware updates above version 2.0 and apply them immediately. Do not wait for an automatic update — this model may not support them. - Disable remote management access without delay. In your router's admin panel, find the Remote Management or WAN Management setting and turn it off completely. There is almost no legitimate reason for your router's admin panel to be reachable from the open internet. This single step dramatically reduces your attack surface even before a patch is available. While you're there, also navigate to the IPv6 routing settings and disable IPv6 entirely if you don't actively need it — this takes the vulnerable endpoint offline.
- If no patch is available, replace the device or isolate it. If Tenda does not release an updated firmware within the next 14 days, treat this device as compromised hardware. Consider replacing it with a router from a vendor with an active security patch program. In the interim, security teams managing these devices in business environments should place the HG3 behind a firewall with strict ACL rules blocking all inbound access to the router's management interface (TCP port 80 and 443 on the LAN-facing admin service), and should monitor network logs for anomalous outbound traffic patterns that could indicate the router has already been compromised.
CVE: CVE-2026-7151 | CVSS: 8.8 HIGH | Affected Hardware: Tenda HG3 Firmware 2.0 | Vulnerability Class: Stack-Based Buffer Overflow / Remote Code Execution | Exploit Status: Publicly disclosed, no confirmed active exploitation at time of publication