CVE-2022-26278 – CVE-2022-26278 is a critical stack overflow vul... (How to Fix)

📋 TL;DR

CVE-2022-26278 is a critical stack overflow vulnerability in Tenda AC9 routers that allows remote attackers to execute arbitrary code via the time parameter in the PowerSaveSet function. This affects Tenda AC9 routers running firmware version 15.03.2.21_cn. Attackers can potentially gain full control of affected devices.

💻 Affected Systems

Products:

Tenda AC9

Versions: v15.03.2.21_cn

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific Chinese firmware version. Other regional versions may not be vulnerable.

📦 What is this software?

Ac9 Firmware by Tenda

View all CVEs affecting Ac9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, credential theft, network pivoting, and participation in botnets.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a foothold into the network.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. If available, download latest firmware
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and install new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable WAN Management

all

Prevent external access to router management interface

Network Segmentation

all

Isolate router on separate VLAN with restricted access

🧯 If You Can't Patch

Replace affected router with different model or vendor
Place router behind firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is exactly 15.03.2.21_cn, device is vulnerable.

Check Version:

Check router web interface or use nmap to identify firmware version

Verify Fix Applied:

Verify firmware version has changed from 15.03.2.21_cn to a newer version.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to PowerSaveSet endpoint
Multiple failed exploit attempts
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
Traffic patterns indicating command and control

SIEM Query:

source="router" AND (uri="/goform/PowerSaveSet" OR method="POST" AND uri CONTAINS "PowerSaveSet")

📊 Metadata

CVE ID: CVE-2022-26278

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 28, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pllrry/Tenda-AC9-V15.03.2.21_cn-Command-Execution-Vulnerability/tree/main/Tenda-AC9 Exploit,Third Party Advisory
https://github.com/pllrry/Tenda-AC9-V15.03.2.21_cn-Command-Execution-Vulnerability/tree/main/Tenda-AC9 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26278, you might also want to check these: