CVE-2022-25449 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2022-25449?

CVE-2022-25449 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Tenda AC6 routers by exploiting a stack overflow in the saveParentControlInfo function. Attackers can send specially crafted requests containing malicious deviceId parameters to gain full control of affected devices. This affects all users running the vulnerable firmware version.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC6 routers by exploiting a stack overflow in the saveParentControlInfo function. Attackers can send specially crafted requests containing malicious deviceId parameters to gain full control of affected devices. This affects all users running the vulnerable firmware version.

💻 Affected Systems

Products:

Tenda AC6 wireless router

Versions: v15.03.05.09_multi

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running this specific firmware version are vulnerable by default. No special configuration required.

📦 What is this software?

Ac6 Firmware by Tenda

View all CVEs affecting Ac6 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, credential theft, and lateral movement to other network devices.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as part of a botnet.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: MEDIUM - Attackers could exploit from compromised internal hosts or via phishing campaigns.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub repositories. Exploitation requires sending a crafted HTTP request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions than v15.03.05.09_multi

Vendor Advisory: Not publicly documented by vendor

Restart Required: Yes

Instructions:

1. Log into Tenda router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from Tenda website. 4. Upload and install new firmware. 5. Reboot router after installation.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router administration interface

Network segmentation

all

Isolate router management interface to trusted network segment

🧯 If You Can't Patch

Replace affected devices with patched or different model routers
Implement strict network firewall rules blocking all inbound traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or System Tools > Firmware Upgrade

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Confirm firmware version is newer than v15.03.05.09_multi after patching

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to saveParentControlInfo endpoint
Multiple failed authentication attempts followed by successful exploitation

Network Indicators:

Unusual outbound connections from router
Traffic patterns suggesting command and control communication

SIEM Query:

source_ip="router_ip" AND (uri="*/goform/saveParentControlInfo" OR user_agent="*exploit*")

📊 Metadata

CVE ID: CVE-2022-25449

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/EPhaha/IOT_vuln/tree/main/Tenda/AC6/5 Exploit,Third Party Advisory
https://github.com/EPhaha/IOT_vuln/tree/main/Tenda/AC6/5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25449, you might also want to check these: