CVE-2020-24987 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2020-24987?

CVE-2020-24987 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Tenda AC18 routers without authentication when the administrator UI is configured to use RADIUS authentication. The flaw exists in the logincheck() function's incorrect authentication handling. All users of affected Tenda AC18 router versions are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC18 routers without authentication when the administrator UI is configured to use RADIUS authentication. The flaw exists in the logincheck() function's incorrect authentication handling. All users of affected Tenda AC18 router versions are at risk.

💻 Affected Systems

Products:

Tenda AC18 Router

Versions: Through V15.03.05.05_EN and through V15.03.05.19(6318) CN

Operating Systems: Embedded Linux on Tenda hardware

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when administrator UI interface is set to 'radius' authentication mode.

📦 What is this software?

Ac18 Firmware by Tendacn

View all CVEs affecting Ac18 Firmware →

Ac18 Firmware by Tendacn

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to install persistent malware, intercept all network traffic, pivot to internal networks, and use router as botnet node.

🟠

Likely Case

Router takeover enabling traffic interception, DNS manipulation, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though router would still be compromised.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external threat is primary.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires specific RADIUS configuration but no authentication. Proof-of-concept details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after V15.03.05.05_EN and V15.03.05.19(6318) CN

Vendor Advisory: https://www.tendacn.com/en/product/AC18.html

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from Tenda website. 4. Upload and apply firmware update. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Disable RADIUS Authentication

all

Change administrator authentication from RADIUS to local authentication or disable remote admin access.

Login to router admin interface and change Authentication Method from RADIUS to Local

Restrict Admin Interface Access

all

Limit admin interface access to specific IP addresses or disable WAN admin access.

Configure firewall rules to restrict admin port access to trusted IPs only

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules limiting traffic to/from router
Implement network monitoring for unusual router traffic patterns or connection attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface and verify if RADIUS authentication is enabled for admin UI.

Check Version:

Login to router admin interface and check System Status or Firmware Version page

Verify Fix Applied:

Verify firmware version is newer than affected versions and test RADIUS authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts to admin interface
Unexpected process execution on router
Configuration changes without authorized user

Network Indicators:

Unusual outbound connections from router
Traffic redirection patterns
DNS query anomalies

SIEM Query:

source="router_logs" AND (event_type="auth_failure" OR event_type="config_change") AND user="unknown"

📊 Metadata

CVE ID: CVE-2020-24987

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: September 4, 2020

Last Updated: November 21, 2024

🔗 References

https://cwe.mitre.org/data/definitions/287.html Third Party Advisory
https://drive.google.com/file/d/1iqpr0EofOBC6kCq2USTOBPRlJu_naFjQ/view?usp=sharing Broken Link
https://www.tendacn.com/en/product/AC18.html Product,Vendor Advisory
https://cwe.mitre.org/data/definitions/287.html Third Party Advisory
https://drive.google.com/file/d/1iqpr0EofOBC6kCq2USTOBPRlJu_naFjQ/view?usp=sharing Broken Link
https://www.tendacn.com/en/product/AC18.html Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24987, you might also want to check these: