Tenda FH1205 execCommand formexeCommand stack-based overflow
CVE-2024-3008

8.8HIGH

Key Information:

Vendor: Tenda
Status: Fh1205
Vendor: CVE Published:; 27 March 2024

Badges

👾 Exploit Exists

What is CVE-2024-3008?

A security vulnerability has been identified in the Tenda FH1205 router, specifically in the formexeCommand function located in the /goform/execCommand file. This issue stems from improper handling of the cmdinput argument, leading to a stack-based buffer overflow. The exploit can be executed remotely, potentially allowing attackers to gain unauthorized access or control over the device. Although the vulnerability has been publicly disclosed, communication with the vendor regarding this issue has not been acknowledged. Users of the affected product are advised to take immediate precautions to safeguard their devices.

Affected Version(s)

FH1205 2.0.0.7(775)

References

https://vuldb.com/?id.258294

vdb-entrytechnical-description

https://vuldb.com/?ctiid.258294

signaturepermissions-required

https://vuldb.com/?submit.301487

third-party-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Mar 27, 2024
Vulnerability published
Mar 27, 2024

Credit

wxhwxhwxh_mie (VulDB User)