Login Sign Up

CVE-2023-40942

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Tenda AC9 routers via a stack overflow in the firewall configuration endpoint. Attackers can exploit this by sending specially crafted requests to the /goform/SetFirewallCfg URL. All users running the affected firmware version are vulnerable.

💻 Affected Systems

Products:
  • Tenda AC9
Versions: V3.0BR_V15.03.06.42_multi_TD01
Operating Systems: Embedded Linux (router firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: This appears to be a specific firmware version for the AC9 model. Other versions may also be affected but not confirmed.

📦 What is this software?

Ac9 Firmware by Tendacn

View all CVEs affecting Ac9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router leading to persistent backdoor installation, network traffic interception, credential theft, and lateral movement to connected devices.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential harvesting from network traffic, and botnet recruitment.

🟢

If Mitigated

Limited impact if network segmentation isolates the router and external access is restricted.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically accessible from WAN interfaces on consumer routers.
🏢 Internal Only: HIGH - Even if not internet-facing, attackers on the local network can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The GitHub reference contains technical details and likely exploit code. Stack overflow vulnerabilities in embedded devices are frequently weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. Download the latest firmware for AC9. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply the new firmware. 6. Reboot the router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to the router's admin interface

Network segmentation

all

Isolate the router from critical internal networks

🧯 If You Can't Patch

  • Replace the router with a different model/vendor
  • Implement strict firewall rules to block all access to the router's IP except from trusted management stations

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is V3.0BR_V15.03.06.42_multi_TD01, the device is vulnerable.

Check Version:

Check via router web interface at 192.168.0.1 or 192.168.1.1 (default Tenda IPs)

Verify Fix Applied:

After updating firmware, verify the version has changed from the vulnerable version.

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /goform/SetFirewallCfg with unusual payloads
  • Router crash/reboot logs

Network Indicators:

  • Unusual traffic patterns from router to external IPs
  • DNS queries to suspicious domains from router

SIEM Query:

source_ip=router_ip AND (url_path="/goform/SetFirewallCfg" OR http_method="POST" AND user_agent contains unusual patterns)

📊 Metadata

CVE ID: CVE-2023-40942
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: September 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40942, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)