Login Sign Up

CVE-2023-24212

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-24212 is a critical stack overflow vulnerability in Tenda AX3 routers that allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted requests to the /goform/SetSysTimeCfg endpoint. This affects all users running vulnerable firmware versions of Tenda AX3 routers, potentially giving attackers full control of the device.

💻 Affected Systems

Products:
  • Tenda AX3
Versions: V16.03.12.11 and likely earlier versions
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface which is typically enabled by default on these routers.

📦 What is this software?

Ax3 Firmware by Tenda

View all CVEs affecting Ax3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router leading to persistent backdoor installation, credential theft, network traffic interception, and lateral movement into connected devices.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the router as a pivot point for further attacks.

🟢

If Mitigated

Denial of service causing router reboot or instability if exploit attempts are blocked but not fully mitigated.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and this vulnerability can be exploited remotely without authentication.
🏢 Internal Only: MEDIUM - Could be exploited from within the network if an attacker gains initial access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists in GitHub repositories, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates
2. If available, download the latest firmware
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and apply the new firmware
6. Wait for router to reboot

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the router's web interface

Access router admin panel -> Advanced Settings -> Remote Management -> Disable

Network Segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block external access to port 80/443 on router IP

🧯 If You Can't Patch

  • Replace affected Tenda AX3 routers with different models from vendors with better security track records
  • Implement network monitoring and intrusion detection specifically for router compromise indicators

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is V16.03.12.11 or earlier, assume vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version or check web interface

Verify Fix Applied:

Verify firmware version has been updated to a version later than V16.03.12.11

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /goform/SetSysTimeCfg with large payloads
  • Router reboot events without user action
  • Unusual configuration changes

Network Indicators:

  • Unusual outbound connections from router IP
  • Traffic to known malicious IPs from router
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND (uri="/goform/SetSysTimeCfg" OR event="reboot") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-24212
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: February 23, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24212, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)