An issue in SHENZHEN TENDA TECHNOLOGY CO.,LTD Tenda AX2pro V16.03.29.48_cn allows a remote attacker to execute arbitrary code via the Routing functionality.
The vulnerability (classified as CWE-940 — Improper Verification of Source of a Communication Channel) is found in the device's Routing functionality. A remote attacker can, without any privileges or user interaction, send a specially crafted network request that leads to arbitrary code execution on the device. The network attack vector (AV:N) with no authentication requirements (PR:N) and no user interaction (UI:N) makes the attack exceptionally simple to carry out.
An attacker can gain full control over the device, including reading and modifying its configuration, intercepting network traffic, or using the router as an entry point to the local network (lateral movement).
Apply patches available from the manufacturer according to the references. Until an update is released, it is recommended to restrict access to the device management interface to trusted hosts only and disable remote management over the Internet.
Tenda AX2 Pro firmware version V16.03.29.48_cn
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTenda Ax2 Pro
HWTendawszystkie wersjeTenda Ax2 Pro Firmware
OSTenda16.03.29.48_cn
Related vulnerabilities
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow v...
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute a...
An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firm...
Tenda W308R v2 — obejście uwierzytelnienia i zmiana ustawień DNS
Tenda W3002R/A302/W309R — obejście uwierzytelnienia i zmiana ustawień DNS