CVE-2022-30474 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2022-30474?

CVE-2022-30474 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Tenda AC Series routers via a heap overflow in the httpd module when processing /goform/saveParentControlInfo requests. Attackers can gain full control of affected routers without authentication. Users of Tenda AC18 routers with firmware version 15.03.05.19(6318) are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC Series routers via a heap overflow in the httpd module when processing /goform/saveParentControlInfo requests. Attackers can gain full control of affected routers without authentication. Users of Tenda AC18 routers with firmware version 15.03.05.19(6318) are affected.

💻 Affected Systems

Products:

Tenda AC Series Router AC18

Versions: AC18_V15.03.05.19(6318)

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version only. Parent Control feature must be enabled for the vulnerable endpoint to be accessible.

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to persistent backdoor installation, network traffic interception, credential theft, and lateral movement to connected devices.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential harvesting, and botnet recruitment for DDoS attacks.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub repositories. Exploitation requires sending crafted HTTP POST requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check Tenda official website for firmware updates. 2. If update available, download and install via router web interface. 3. Reboot router after installation. 4. Verify firmware version changed from vulnerable version.

🔧 Temporary Workarounds

Disable Parent Control Feature

all

Disable the Parent Control functionality to remove access to the vulnerable /goform/saveParentControlInfo endpoint.

Restrict WAN Access

all

Configure firewall rules to block external access to router administration interface (typically port 80/443).

🧯 If You Can't Patch

Replace affected routers with different models or brands that receive security updates
Place routers behind dedicated firewalls with strict inbound filtering rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface (typically under System Status or About page). If version is exactly AC18_V15.03.05.19(6318), device is vulnerable.

Check Version:

No CLI command available. Must check via router web interface at http://router_ip/ or via mobile app.

Verify Fix Applied:

Verify firmware version has changed from AC18_V15.03.05.19(6318) to a newer version after update.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/saveParentControlInfo with unusual payload length or content
Router crash/restart logs following POST requests

Network Indicators:

Unusual outbound connections from router to unknown IPs
DNS queries to suspicious domains from router

SIEM Query:

http.method:POST AND http.uri:"/goform/saveParentControlInfo" AND (bytes_out > 1000 OR contains(http.user_agent, "curl"))

📊 Metadata

CVE ID: CVE-2022-30474

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: May 26, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/lcyfrank/VulnRepo/tree/master/IoT/Tenda/5 Exploit,Third Party Advisory
https://github.com/lcyfrank/VulnRepo/tree/master/IoT/Tenda/5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30474, you might also want to check these: