Login Sign Up

CVE-2023-30370

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2023-30370 is a critical stack-based buffer overflow vulnerability in Tenda AC15 routers' GetValue function. Attackers can exploit this to execute arbitrary code with root privileges, potentially taking full control of affected devices. This affects all users running vulnerable firmware versions of Tenda AC15 routers.

💻 Affected Systems

Products:
  • Tenda AC15
Versions: V15.03.05.19 and likely earlier versions
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Ac15 Firmware by Tenda

View all CVEs affecting Ac15 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent remote access, credential theft, network pivoting, and botnet recruitment.

🟠

Likely Case

Remote code execution leading to router reconfiguration, DNS hijacking, credential harvesting, and network surveillance.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exposure is primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public GitHub repositories contain exploit code. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V15.03.05.20 or later (check Tenda website for latest)

Vendor Advisory: https://www.tendacn.com/en/

Restart Required: Yes

Instructions:

1. Visit Tenda official website. 2. Download latest firmware for AC15. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevents external exploitation by disabling WAN access to admin interface

Network Segmentation

all

Isolate router management interface to trusted network segments only

🧯 If You Can't Patch

  • Replace affected routers with patched or alternative models
  • Implement strict firewall rules blocking all inbound traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or System Tools

Check Version:

Login to router web interface and navigate to System Status page

Verify Fix Applied:

Confirm firmware version is V15.03.05.20 or later after patching

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP POST requests to router management interface
  • Multiple failed exploit attempts
  • Unexpected configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains
  • Port scanning originating from router

SIEM Query:

source_ip=router_ip AND (http_method=POST AND uri_contains="cgi-bin" AND size>threshold)

📊 Metadata

CVE ID: CVE-2023-30370
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 24, 2023
Last Updated: February 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30370, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)