CVE-2022-26987: TP-Link TL-WDR7660 2.0.30, Mercury D196G 20200109_2.0.4, and Fast FAC1900R 20190827_2.0.2 routers have a st...
TP-Link TL-WDR7660 2.0.30, Mercury D196G 20200109_2.0.4, and Fast FAC1900R 20190827_2.0.2 routers have a stack overflow issue in `MmtAtePrase` function. Local users could get remote code execution.
Security readout for executives and security teams
Plain-English summary
This CVE describes a stack overflow in three consumer router models and firmware versions. The public record says a local user could achieve remote code execution. That means an attacker with required local access may be able to run code on the router. Public evidence is sparse: no CVSS score, no CWE, and no confirmed exploitation are provided.
Executive priority
Treat as high priority for environments using the named routers, especially shared offices, guest networks, or unmanaged branch sites. The business risk is router compromise, but urgency should be balanced against the limited public detail and absence of confirmed exploitation in the bundle.
Technical view
CVE-2022-26987 affects TP-Link TL-WDR7660 2.0.30, Mercury D196G 20200109_2.0.4, and Fast FAC1900R 20190827_2.0.2. The issue is reported in the `MmtAtePrase` function and described as a stack overflow leading to remote code execution by local users. The bundle does not define attack vector details, prerequisites, patches, or proof of exploitation.
Likely exposure
Exposure is most likely where the listed router models run the specified firmware and untrusted users can reach local router services. Internet exposure is not established by the provided sources.
Exploitation context
The CVE is not listed as KEV in the provided bundle, and no cited source confirms active exploitation. The description indicates local-user-driven RCE potential, but does not provide enough detail to determine practical exploitability or required privileges.
Researcher notes
The record has unusually limited metadata: no CVSS, CWE, affected CPEs, or vendor remediation details. The function name suggests a memory-corruption flaw, but the available sources do not identify the reachable interface, input path, authentication state, or patch lineage.
Mitigation direction
Inventory the listed router models and exact firmware versions.
Check vendor guidance for fixed firmware or replacement advice.
Apply vendor-provided firmware updates if available.
Restrict router administration to trusted local networks only.
Replace affected devices if no supported fix exists.
Validation and detection
Confirm device model and firmware from router administration records.
Identify whether untrusted users can access local router services.
Review vendor advisories for patch availability and affected versions.
Check logs for unexpected router configuration or administration changes.
Document compensating controls where firmware cannot be updated.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Execution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 10, 2022, 14:22 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.