CVE-2023-37722 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-37722?

CVE-2023-37722 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on affected Tenda routers via a stack overflow in the fromSafeUrlFilter function. Attackers can exploit this by sending specially crafted requests to the vulnerable parameter. Users of Tenda F1202 and FH1202 routers with specific firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected Tenda routers via a stack overflow in the fromSafeUrlFilter function. Attackers can exploit this by sending specially crafted requests to the vulnerable parameter. Users of Tenda F1202 and FH1202 routers with specific firmware versions are affected.

💻 Affected Systems

Products:

Tenda F1202
Tenda FH1202

Versions: F1202 V1.0BR_V1.2.0.20(408), FH1202_V1.2.0.19_EN

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web management interface. No authentication bypass required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent remote access, network traffic interception, and lateral movement to other devices on the network.

🟠

Likely Case

Remote code execution leading to router takeover, enabling attackers to modify DNS settings, intercept traffic, or use the device as a botnet node.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with web management interfaces exposed.

🏢 Internal Only: MEDIUM - Could be exploited from within the network if an attacker gains initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available in GitHub repository. Exploitation requires sending crafted HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for your model. 3. Access router web interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Access router settings > Management > Disable Remote Management/Web Access from WAN

Network Segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block inbound access to router management ports (typically 80, 443, 8080)

🧯 If You Can't Patch

Replace affected routers with supported models from different vendors
Place routers behind dedicated firewalls with strict inbound filtering rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: System Status > Firmware Version

Check Version:

curl -s http://router-ip/status.cgi | grep version

Verify Fix Applied:

Verify firmware version has been updated to a version later than the affected ones

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to router management endpoints
Large payloads in URL parameters
Multiple failed login attempts followed by exploitation attempts

Network Indicators:

Unusual outbound connections from router
DNS hijacking patterns
Traffic redirection to suspicious IPs

SIEM Query:

source="router_logs" AND (url="*fromSafeUrlFilter*" OR parameter="*page*" AND size>1000)

📊 Metadata

CVE ID: CVE-2023-37722

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: July 14, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/FirmRec/IoT-Vulns/blob/main/tenda/fromSafeUrlFilter/report.md Exploit,Third Party Advisory
https://github.com/FirmRec/IoT-Vulns/blob/main/tenda/fromSafeUrlFilter/report.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37722, you might also want to check these: