OS Command Injection Vulnerability in Tenda AC15 Device
CVE-2024-2851
Key Information:
Badges
Summary
A significant security flaw has been identified in the Tenda AC15 router, specifically in the formSetSambaConf function located in the /goform/setsambacfg file. This vulnerability arises from improper validation of the 'usbName' parameter, allowing for OS command injection. An attacker can exploit this flaw remotely, gaining the capability to execute arbitrary commands on the device, which poses severe risks to network integrity and data security. Despite the public disclosure of this vulnerability, Tenda has not responded to inquiries when initially informed. Users are advised to implement protective measures to mitigate potential exploitation.
Affected Version(s)
AC15 15.03.05.18
AC15 15.03.20_multi
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved