Login Sign Up

CVE-2022-24156

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-24156 is a stack overflow vulnerability in Tenda AX3 routers running firmware version 16.03.12.10_CN. Attackers can exploit this by sending specially crafted requests to the formSetVirtualSer function, causing a Denial of Service (DoS) that crashes the device. This affects users of Tenda AX3 routers with the vulnerable firmware version.

💻 Affected Systems

Products:
  • Tenda AX3
Versions: v16.03.12.10_CN
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Chinese firmware version. Other regional versions may not be vulnerable.

📦 What is this software?

Ax3 Firmware by Tenda

View all CVEs affecting Ax3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router crash requiring physical reboot, potentially disrupting all network connectivity for connected devices.

🟠

Likely Case

Router becomes unresponsive, requiring manual reboot to restore functionality.

🟢

If Mitigated

If properly segmented and firewalled, impact limited to router management interface only.

🌐 Internet-Facing: HIGH - Router management interfaces are typically internet-facing on consumer devices.
🏢 Internal Only: LOW - The vulnerability requires access to the management interface, which is typically internet-facing.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available in GitHub repository. Exploitation requires network access to router management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions than v16.03.12.10_CN

Vendor Advisory: Not publicly documented

Restart Required: Yes

Instructions:

1. Log into Tenda router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from Tenda website. 4. Upload and apply firmware update. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router management interface

Network segmentation

all

Isolate router management interface to trusted network only

🧯 If You Can't Patch

  • Disable WAN access to router management interface
  • Implement network firewall rules to block access to router management ports from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is exactly 16.03.12.10_CN, device is vulnerable.

Check Version:

Check via router web interface or SSH if enabled: cat /proc/version or similar router-specific commands

Verify Fix Applied:

Verify firmware version has been updated to a version later than 16.03.12.10_CN.

📡 Detection & Monitoring

Log Indicators:

  • Router crash/reboot logs
  • Multiple failed connection attempts to management interface
  • Unusual traffic patterns to router management ports

Network Indicators:

  • HTTP POST requests to formSetVirtualSer endpoint with malformed list parameter
  • Sudden loss of router connectivity

SIEM Query:

source_ip="*" AND dest_port="80" OR dest_port="443" AND http_uri="*/goform/SetVirtualSer" AND http_method="POST"

📊 Metadata

CVE ID: CVE-2022-24156
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: February 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24156, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)