Tenda W30E fromRouteStatic stack-based overflow
CVE-2024-3882

8.8HIGH

Key Information:

Vendor
Tenda
Status
W30e
Vendor
CVE Published:
16 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in the Tenda W30E router, specifically within the fromRouteStatic function located in the /goform/fromRouteStatic file. An attacker can manipulate the 'page' argument, resulting in a stack-based buffer overflow that can be exploited remotely. Public disclosure of the vulnerability raises concerns about its potential exploitation, as no response from the vendor was recorded following initial contact about this issue. This flaw could potentially allow attackers to execute arbitrary code, compromising the integrity and availability of affected devices.

Affected Version(s)

W30E 1.0.1.25(633)

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3882 - Proof of Concept

References

https://vuldb.com/?id.260916
vdb-entrytechnical-description
https://vuldb.com/?ctiid.260916
signaturepermissions-required
https://vuldb.com/?submit.312825
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

Credit

wxhwxhwxh_mie (VulDB User)
.