CVE-2026-13515
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
A stack-based buffer overflow vulnerability has been detected in Tenda JD12L firmware version 16.03.53.23 in the formSetPPTPServer function of the /goform/SetPptpServerCfg file. Manipulation of the startIp argument allows remote exploitation. The exploit has been publicly disclosed and may be used.
Risk Assessment
The risk for the organization includes potential remote code execution, which could lead to network compromise, data leakage, or service disruption.
Recommendation
It is recommended to immediately apply a firmware update from the vendor if available, or temporarily disable the PPTP Server function and restrict management interface access to trusted IP addresses only.
Original NVD description (English source)
A security vulnerability has been detected in Tenda JD12L 16.03.53.23. Impacted is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. Such manipulation of the argument startIp leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

