Login Sign Up

CVE-2022-32054

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC10 routers by exploiting improper input validation in the lanIp parameter. Attackers can gain full control of affected devices without authentication. All users running vulnerable firmware versions are affected.

💻 Affected Systems

Products:
  • Tenda AC10
Versions: US_AC10V1.0RTL_V15.03.06.26_multi_TD01
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Ac10 Firmware by Tenda

View all CVEs affecting Ac10 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, intercept network traffic, pivot to internal networks, or join botnets.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft, network surveillance, or denial of service.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with web interfaces exposed to WAN.
🏢 Internal Only: MEDIUM - Could still be exploited via phishing or compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in GitHub repositories. Exploitation requires sending crafted HTTP requests to the router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Tenda website for latest firmware > V15.03.06.26

Vendor Advisory: Not publicly documented by vendor

Restart Required: Yes

Instructions:

1. Visit Tenda support website. 2. Download latest firmware for AC10 model. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router web interface

Login to router > Advanced > System Tools > Remote Management > Disable

Network segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block WAN access to router ports 80/443

🧯 If You Can't Patch

  • Place router behind dedicated firewall with strict inbound rules
  • Implement network monitoring for suspicious HTTP requests to router IP

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or System Tools

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Confirm firmware version is newer than V15.03.06.26 and test with known exploit scripts

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP POST requests to /goform/setLanCfg containing shell metacharacters
  • Failed login attempts followed by successful exploitation

Network Indicators:

  • HTTP requests with shell commands in lanIp parameter
  • Unexpected outbound connections from router

SIEM Query:

source="router.log" AND ("lanIp=" AND ("|" OR ";" OR "`" OR "$"))

📊 Metadata

CVE ID: CVE-2022-32054
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: July 7, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32054, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)