Login Sign Up

CVE-2022-24150

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Tenda AX3 routers via command injection in the remoteIp parameter. Attackers can gain full control of affected devices, potentially compromising network security. Users running Tenda AX3 v16.03.12.10_CN firmware are affected.

💻 Affected Systems

Products:
  • Tenda AX3
Versions: v16.03.12.10_CN
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Chinese firmware version. Other regional variants may have different code.

📦 What is this software?

Ax3 Firmware by Tenda

View all CVEs affecting Ax3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to install persistent malware, intercept all network traffic, pivot to internal networks, and use the device as part of a botnet.

🟠

Likely Case

Attackers gain remote shell access to modify router settings, intercept credentials, and deploy cryptocurrency miners or other malware.

🟢

If Mitigated

If properly segmented and monitored, impact limited to isolated network segment with no critical assets.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers worldwide.
🏢 Internal Only: MEDIUM - If router management interface is only accessible internally, risk is reduced but still significant for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exists in GitHub repository. Exploitation requires sending crafted HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Tenda website for latest firmware

Vendor Advisory: Not publicly documented by vendor

Restart Required: Yes

Instructions:

1. Visit Tenda support website. 2. Download latest firmware for AX3. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Network Segmentation

all

Isolate router management interface to trusted network segment only

🧯 If You Can't Patch

  • Replace affected router with different model or vendor
  • Implement strict firewall rules blocking all external access to router management ports (typically 80, 443, 8080)

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or System Tools

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than v16.03.12.10_CN after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/setSafeWanWebMan
  • Command execution patterns in system logs
  • Unexpected process creation

Network Indicators:

  • HTTP requests with shell metacharacters in parameters
  • Outbound connections from router to suspicious IPs

SIEM Query:

source="router.log" AND (url="/goform/setSafeWanWebMan" OR (param="remoteIp" AND value MATCHES "[;&|`$()]"))

📊 Metadata

CVE ID: CVE-2022-24150
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: February 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24150, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)