CVE-2023-40798 – This vulnerability in Tenda AC23 routers allows... (How to Fix)

Q: What is the severity of CVE-2023-40798?

CVE-2023-40798 has a CVSS score of 8.8 (HIGH). This vulnerability in Tenda AC23 routers allows authenticated attackers to execute arbitrary code via stack overflow in IPv6 and WAN parameter functions. It affects users running vulnerable firmware versions, potentially compromising router security and network integrity.

📋 TL;DR

This vulnerability in Tenda AC23 routers allows authenticated attackers to execute arbitrary code via stack overflow in IPv6 and WAN parameter functions. It affects users running vulnerable firmware versions, potentially compromising router security and network integrity.

💻 Affected Systems

Products:

Tenda AC23

Versions: v16.03.07.45_cn

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker authentication to router admin interface; Chinese firmware version specifically affected.

📦 What is this software?

Ac23 Firmware by Tenda

View all CVEs affecting Ac23 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to persistent backdoor installation, network traffic interception, lateral movement to connected devices, and botnet recruitment.

🟠

Likely Case

Router takeover allowing configuration changes, DNS hijacking, credential theft from network traffic, and denial of service to connected devices.

🟢

If Mitigated

Limited impact if strong network segmentation isolates the router and regular credential rotation prevents attacker persistence.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires valid admin credentials; published PoC demonstrates reliable exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda support for firmware updates. 2. If update available, download from official source. 3. Backup router configuration. 4. Upload firmware via admin interface. 5. Factory reset after update. 6. Restore minimal configuration.

🔧 Temporary Workarounds

Disable IPv6

all

Prevents exploitation via formSetIPv6status function

Login to router admin → Network → IPv6 → Disable

Change Admin Credentials

all

Mitigates authentication requirement for exploit

Login to router admin → System Tools → Modify Login Password

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for unusual router traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status → Firmware Version

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than v16.03.07.45_cn and test IPv6/WAN functions

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login and configuration changes
Unusual POST requests to /goform/setIPv6status or /goform/getWanParameter

Network Indicators:

Unexpected outbound connections from router
DNS queries to suspicious domains
Port scanning originating from router

SIEM Query:

source="router.log" AND (uri="/goform/setIPv6status" OR uri="/goform/getWanParameter") AND status=200

📊 Metadata

CVE ID: CVE-2023-40798

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: August 25, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/lst-oss/Vulnerability/tree/main/Tenda/AC23/formSetIPv6status-formGetWanParameter Exploit,Third Party Advisory
https://github.com/lst-oss/Vulnerability/tree/main/Tenda/AC23/formSetIPv6status-formGetWanParameter Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40798, you might also want to check these: