CVE-2023-27021 – This vulnerability in Tenda AC10 routers allows... (How to Fix)

Q: What is the severity of CVE-2023-27021?

CVE-2023-27021 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Tenda AC10 routers allows attackers to cause denial of service or execute arbitrary code by exploiting a stack overflow in the firewall configuration function. It affects Tenda AC10 routers running specific vulnerable firmware versions. Attackers can exploit this remotely without authentication.

📋 TL;DR

This vulnerability in Tenda AC10 routers allows attackers to cause denial of service or execute arbitrary code by exploiting a stack overflow in the firewall configuration function. It affects Tenda AC10 routers running specific vulnerable firmware versions. Attackers can exploit this remotely without authentication.

💻 Affected Systems

Products:

Tenda AC10 router

Versions: US_AC10V4.0si_V16.03.10.13_cn firmware

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web management interface's firewall configuration function. Routers with web management exposed (default configuration) are vulnerable.

📦 What is this software?

Ac10 Firmware by Tenda

View all CVEs affecting Ac10 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attackers to take full control of the router, intercept network traffic, pivot to internal networks, or install persistent malware.

🟠

Likely Case

Denial of service causing router crashes and network disruption, potentially followed by remote code execution if attackers craft sophisticated payloads.

🟢

If Mitigated

Limited impact with proper network segmentation, firewall rules blocking external access to router management interfaces, and intrusion detection systems monitoring for exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing routers extremely vulnerable to attack.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this vulnerability to pivot through networks or disrupt internal routing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub repositories. The vulnerability requires sending crafted HTTP requests to the router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Check Tenda's official website for firmware updates. 2. If available, download the latest firmware. 3. Log into router web interface. 4. Navigate to firmware upgrade section. 5. Upload and apply the new firmware. 6. Verify the version has been updated.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to the router's web management interface

Restrict management interface access

all

Configure firewall rules to only allow management access from trusted internal IP addresses

🧯 If You Can't Patch

Segment the network to isolate the vulnerable router from critical systems
Implement network monitoring and intrusion detection to alert on exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Login > System Status > Firmware Version. If version is US_AC10V4.0si_V16.03.10.13_cn, the device is vulnerable.

Check Version:

No CLI command available. Must check via web interface at http://router_ip or via router's admin panel.

Verify Fix Applied:

After updating firmware, verify the version has changed from the vulnerable version. Test by attempting to access the firewall configuration page with normal usage patterns.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /goform/SetFirewallCfg endpoint
Multiple failed firewall configuration attempts
Router crash/reboot logs

Network Indicators:

Unusual traffic patterns to router management interface from external IPs
HTTP requests with oversized or malformed parameters to firewall configuration endpoint

SIEM Query:

source="router_logs" AND (uri="/goform/SetFirewallCfg" OR message="firewall config" OR message="router crash")

📊 Metadata

CVE ID: CVE-2023-27021

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 7, 2023

Last Updated: February 12, 2025

🔗 References

https://github.com/DrizzlingSun/Tenda/blob/main/AC10/9/9.md Exploit,Third Party Advisory
https://github.com/DrizzlingSun/Tenda/blob/main/AC10/9/9.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27021, you might also want to check these: