CVE-2022-25447 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC6 routers via a stack overflow in the openSchedWifi function. Attackers can exploit this by sending specially crafted requests to the schedendtime parameter, potentially gaining full control of affected devices. Users of Tenda AC6 routers with firmware version 15.03.05.09_multi are affected.

💻 Affected Systems

Products:

Tenda AC6 wireless router

Versions: v15.03.05.09_multi

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version only; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Ac6 Firmware by Tenda

View all CVEs affecting Ac6 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, credential theft, network traffic interception, and lateral movement to other devices on the network.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as part of a botnet.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - If WAN access is restricted, attackers would need initial network access to exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub repositories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. If update available, download and install via router admin interface
3. Reboot router after installation
4. Verify firmware version is updated

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router administration interface

Login to router admin panel -> Advanced Settings -> Remote Management -> Disable

Network segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to restrict access to router IP on ports 80/443

🧯 If You Can't Patch

Replace affected router with a different model or vendor
Place router behind a separate firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface (typically at 192.168.0.1 or 192.168.1.1)

Check Version:

curl -s http://router-ip/goform/getStatus | grep version or check web interface

Verify Fix Applied:

Verify firmware version is no longer 15.03.05.09_multi

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/openSchedWifi
Multiple failed authentication attempts
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs
Port scanning originating from router

SIEM Query:

source="router_logs" AND (uri="/goform/openSchedWifi" OR "schedendtime" IN request_body)

📊 Metadata

CVE ID: CVE-2022-25447

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/EPhaha/IOT_vuln/tree/main/Tenda/AC6/4 Exploit,Third Party Advisory
https://github.com/EPhaha/IOT_vuln/tree/main/Tenda/AC6/4 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25447, you might also want to check these: