OS Command Injection Vulnerability in Tenda W30E Router
CVE-2024-3880

8.8HIGH

Key Information:

Vendor
Tenda
Status
W30E
Vendor
CVE Published:
16 April 2024

Summary

A security flaw has been identified in the Tenda W30E router, specifically in the formWriteFacMac function located in the /goform/WriteFacMac file. This vulnerability enables an attacker to manipulate the MAC address argument, which may lead to remote OS command injection. As the exploit for this vulnerability has been publicly disclosed, it poses a significant risk to users. Despite early notifications to the vendor regarding this issue, no response has been recorded.

References

https://vuldb.com/?id.260914
https://vuldb.com/?ctiid.260914
https://vuldb.com/?submit.312823

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.