CVE-2022-24167 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2022-24167?

CVE-2022-24167 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary commands on Tenda G1 and G3 routers via the dmzHost1 parameter in the formSetDMZ function. Attackers can gain full control of affected routers, potentially compromising network security. Users of Tenda G1 and G3 routers with vulnerable firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Tenda G1 and G3 routers via the dmzHost1 parameter in the formSetDMZ function. Attackers can gain full control of affected routers, potentially compromising network security. Users of Tenda G1 and G3 routers with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Tenda G1 router
Tenda G3 router

Versions: v15.11.0.17(9502)_CN

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Chinese firmware version; other regional versions may differ. DMZ feature must be accessible.

📦 What is this software?

G1 Firmware by Tendacn

View all CVEs affecting G1 Firmware →

G3 Firmware by Tendacn

View all CVEs affecting G3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to full network takeover, credential theft, malware deployment, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing network traffic interception, DNS hijacking, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if network segmentation isolates routers and strict access controls prevent external exploitation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exposure is primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to router admin interface. Public proof-of-concept code exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later than v15.11.0.17(9502)_CN

Vendor Advisory: Not publicly documented by Tenda

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from Tenda website. 4. Upload and install firmware update. 5. Reboot router after installation.

🔧 Temporary Workarounds

Disable DMZ Feature

all

Disable the DMZ functionality that contains the vulnerable parameter

Restrict Admin Access

linux

Limit router admin interface access to trusted internal IPs only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for suspicious command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Update section

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than v15.11.0.17(9502)_CN after update

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in router logs
Multiple failed login attempts followed by DMZ configuration changes

Network Indicators:

Unexpected outbound connections from router
DNS queries to suspicious domains from router IP

SIEM Query:

source="router.log" AND ("formSetDMZ" OR "dmzHost1") AND command="*"

📊 Metadata

CVE ID: CVE-2022-24167

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_39/39.md Broken Link,Exploit,Third Party Advisory
https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_39/39.md Broken Link,Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24167, you might also want to check these: