Login Sign Up

CVE-2022-48130

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-48130 is a critical stack overflow vulnerability in Tenda W20E routers that allows remote attackers to execute arbitrary code or cause denial of service. The vulnerability affects users of Tenda W20E routers with firmware version 15.11.0.6. Attackers can exploit this by sending specially crafted requests to the formSetStaticRoute function.

💻 Affected Systems

Products:
  • Tenda W20E
Versions: v15.11.0.6
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface. The vulnerability exists in the static route configuration function.

📦 What is this software?

W20e Firmware by Tenda

View all CVEs affecting W20e Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, network takeover, and lateral movement into connected networks.

🟠

Likely Case

Router crash causing denial of service, requiring physical reset and disrupting network connectivity.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with web interfaces accessible from WAN.
🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public GitHub repository contains detailed analysis and proof-of-concept. Exploitation requires network access to router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. If update available, download and install via web interface. 3. Factory reset after update. 4. Reconfigure settings securely.

🔧 Temporary Workarounds

Disable WAN Management

all

Prevent external access to router web interface

Access router settings > Security > Disable Remote Management

Network Segmentation

linux

Isolate router management interface to trusted network

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NET -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Replace affected routers with supported models from different vendors
  • Implement strict network access controls to limit who can reach router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface: Settings > System Status > Firmware Version

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than v15.11.0.6 and test static route functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts
  • Unusual POST requests to /goform/setStaticRoute
  • Router crash/reboot logs

Network Indicators:

  • Unusual traffic to router port 80/443 from external IPs
  • Large POST requests to static route endpoint

SIEM Query:

source="router.log" AND (url="/goform/setStaticRoute" OR "formSetStaticRoute") AND size>1000

📊 Metadata

CVE ID: CVE-2022-48130
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: February 2, 2023
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48130, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)