CVE-2022-24165 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Tenda G1 and G3 routers by injecting malicious commands into the qvlanIP parameter. Attackers can gain full control of affected routers, potentially compromising network security. Users of Tenda G1 and G3 routers with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Tenda G1 Router
Tenda G3 Router

Versions: v15.11.0.17(9502)_CN

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Chinese firmware version specifically; other regional versions may also be vulnerable.

📦 What is this software?

G1 Firmware by Tendacn

View all CVEs affecting G1 Firmware →

G3 Firmware by Tendacn

View all CVEs affecting G3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attackers to intercept all network traffic, install persistent backdoors, pivot to internal networks, and use the router as part of a botnet.

🟠

Likely Case

Router takeover enabling traffic interception, credential theft, DNS hijacking, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if network segmentation isolates routers and strict access controls prevent external exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub; exploitation requires network access to router management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for your router model
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and install new firmware
6. Reboot router after installation

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Network Segmentation

all

Isolate router management interface to trusted network segment

🧯 If You Can't Patch

Replace affected routers with updated models from different vendors
Implement strict firewall rules blocking all external access to router management ports

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface; if version matches affected range, assume vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Information page

Verify Fix Applied:

Verify firmware version has been updated to a version newer than v15.11.0.17(9502)_CN

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed login attempts to router interface
Unexpected process creation

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs
DNS queries to suspicious domains

SIEM Query:

source="router_logs" AND ("formSetQvlanList" OR "qvlanIP") AND command="*"

📊 Metadata

CVE ID: CVE-2022-24165

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_38/38.md Exploit,Third Party Advisory
https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_38/38.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24165, you might also want to check these: