Login Sign Up

CVE-2020-28094

7.5 HIGH

📋 TL;DR

This CVE describes a supply chain vulnerability in Tenda AC1200 routers where the default speed test configuration points to malicious download servers. The vulnerability allows attackers to deliver malware to router users through what appears to be legitimate router functionality. All users of affected Tenda AC1200 (AC6) routers with vulnerable firmware are at risk.

💻 Affected Systems

Products:
  • Tenda AC1200 (Model AC6)
Versions: 15.03.06.51_multi
Operating Systems: Router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with the specific vulnerable firmware version. The vulnerability is in the default configuration, not requiring any special setup.

📦 What is this software?

Ac1200 Firmware by Tendacn

View all CVEs affecting Ac1200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could deliver persistent malware to all devices on the network, potentially leading to complete network compromise, data exfiltration, and ransomware deployment.

🟠

Likely Case

Users downloading router speed test results or related files would receive malware disguised as legitimate software, leading to infected endpoints.

🟢

If Mitigated

With proper network segmentation and endpoint protection, malware could be contained to isolated segments and detected before causing significant damage.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit requires no authentication and leverages the router's built-in speed test functionality. Attackers would need to control or compromise the referenced download servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch is documented. Users should upgrade to the latest available firmware from Tenda and verify the speed test configuration points to legitimate servers.

🔧 Temporary Workarounds

Disable Router Speed Test

all

Prevent the router from using the vulnerable speed test functionality that connects to malicious servers.

Configure Custom DNS

all

Use trusted DNS servers to prevent resolution of malicious domains referenced in the speed test configuration.

🧯 If You Can't Patch

  • Replace affected routers with non-vulnerable models from different vendors
  • Implement network segmentation to isolate the router from critical systems

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface (typically 192.168.0.1 or 192.168.1.1) and verify if it matches 15.03.06.51_multi.

Check Version:

Router web interface → System Status or About page

Verify Fix Applied:

After firmware update, verify the speed test configuration no longer references suspicious domains like those associated with 'elive' or 'CNKI E-Learning' malware.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound connections from router to unknown domains
  • Multiple download attempts for 'elive' or 'CNKI E-Learning' files

Network Indicators:

  • DNS queries for suspicious domains associated with the malware
  • HTTP traffic to non-Tenda servers during speed tests

SIEM Query:

source="router_logs" AND (destination_domain="*elive*" OR destination_domain="*cnki*" OR file_download="*.exe")

📊 Metadata

CVE ID: CVE-2020-28094
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: December 28, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON