CVE-2023-36103
📋 TL;DR
This CVE describes a command injection vulnerability in Tenda AC15 routers that allows remote attackers to execute arbitrary commands via crafted POST requests to the goform/SetIPTVCfg interface. Attackers can gain full control of affected routers without authentication. Users running Tenda AC15 routers with vulnerable firmware are affected.
💻 Affected Systems
- Tenda AC15
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete router compromise allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the router as a botnet node.
Likely Case
Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of cryptocurrency miners or other malware.
If Mitigated
Limited impact if routers are behind firewalls with strict inbound filtering and network segmentation.
🎯 Exploit Status
Public exploit code is available on GitHub. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check Tenda's official website for firmware updates. If available, download the latest firmware, log into router admin panel, navigate to System Tools > Firmware Upgrade, upload the new firmware file, and wait for the router to reboot.
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to router web interface
Log into router admin panel > Advanced > System Tools > Remote Management > Disable
Change Default Admin Credentials
allUse strong, unique passwords for router administration
Log into router admin panel > Advanced > System Tools > Password > Set new strong password
🧯 If You Can't Patch
- Place router behind a firewall with strict inbound filtering, blocking all external access to ports 80/443
- Implement network segmentation to isolate the router from critical internal systems
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin panel under System Status. If version is V15.03.05.20, the device is vulnerable.Check Version:
curl -s http://router-ip/goform/GetModuleInfo | grep -i versionVerify Fix Applied:
After updating firmware, verify the version number has changed from V15.03.05.20 to a newer version.📡 Detection & Monitoring
Log Indicators:
- POST requests to /goform/SetIPTVCfg with unusual parameters
- Unusual command execution in router logs
- Multiple failed login attempts followed by successful access
Network Indicators:
- Unusual outbound connections from router
- DNS queries to suspicious domains
- Unexpected port scans originating from router
SIEM Query:
source="router_logs" AND (uri="/goform/SetIPTVCfg" OR command="*;*" OR command="*|*")