Login Sign Up

CVE-2022-28969

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-28969 is a stack overflow vulnerability in Tenda AX1806 routers that allows attackers to cause a Denial of Service (DoS) by sending specially crafted requests to the shareSpeed parameter. This affects Tenda AX1806 router users running vulnerable firmware versions. Attackers can crash the router's web interface or potentially execute arbitrary code.

💻 Affected Systems

Products:
  • Tenda AX1806
Versions: v1.0.0.1
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface of the router. The vulnerability is in the fromSetWifiGusetBasic function.

📦 What is this software?

Ax1806 Firmware by Tenda

View all CVEs affecting Ax1806 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete router compromise, persistent backdoor installation, and network infiltration.

🟠

Likely Case

Denial of Service causing router reboot or web interface crash, disrupting network connectivity.

🟢

If Mitigated

Limited to DoS with quick recovery if proper network segmentation and monitoring are in place.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the vulnerability can be exploited remotely.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the router's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code is available in GitHub repositories. Exploitation requires sending a crafted HTTP request to the router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Tenda website for firmware updates beyond v1.0.0.1

Vendor Advisory: Not publicly documented by vendor

Restart Required: Yes

Instructions:

1. Log into Tenda router web interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from Tenda website. 4. Upload and install firmware update. 5. Reboot router after installation.

🔧 Temporary Workarounds

Disable Guest WiFi

all

Disable the guest WiFi feature that contains the vulnerable function

Restrict Management Access

all

Limit router management interface access to trusted IP addresses only

🧯 If You Can't Patch

  • Isolate router on separate VLAN with strict firewall rules
  • Disable remote management and WAN-side access to web interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status. If version is v1.0.0.1, device is vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version has been updated to a version later than v1.0.0.1

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts
  • Unusual HTTP POST requests to /goform/setWifiGuestBasic
  • Router reboot logs

Network Indicators:

  • Unusual traffic to router port 80/443 from external IPs
  • HTTP requests with large shareSpeed parameter values

SIEM Query:

source="router_logs" AND (uri="/goform/setWifiGuestBasic" OR message="reboot")

📊 Metadata

CVE ID: CVE-2022-28969
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: May 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28969, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)