Remote Code Execution Vulnerability in Tenda Networking Products

CVE-2024-12002

6.5MEDIUM

Key Information

Vendor
Tenda
Status
Fh451
Fh1201
Fh1202
Fh1206
Vendor
CVE Published:
30 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A high-risk vulnerability (CVE-2024-12002) has been identified in various Tenda networking products, including the FH451, FH1201, FH1202, and FH1206. This vulnerability occurs within the websReadEvent function located in the /goform/GetIPTV file. A remote attacker can manipulate the Content-Length argument, leading to a null pointer dereference condition. The vulnerability has been publicly disclosed, which implies that it could be actively exploited by cybercriminals. Users are strongly advised to update their devices to mitigate any risks associated with this flaw.

Affected Version(s)

FH451 = 20241129

FH1201 = 20241129

FH1202 = 20241129

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

Kalv1n2077 (VulDB User)
.