CVE-2023-41562 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-41562?

CVE-2023-41562 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on affected Tenda routers via a stack overflow in the PowerSaveSet function. Attackers can exploit this by sending specially crafted requests to the /goform/PowerSaveSet endpoint. Users of specific Tenda router models with vulnerable firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected Tenda routers via a stack overflow in the PowerSaveSet function. Attackers can exploit this by sending specially crafted requests to the /goform/PowerSaveSet endpoint. Users of specific Tenda router models with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Tenda AC7
Tenda AC9
Tenda AC5

Versions: AC7 V15.03.06.44, AC9 V15.03.06.42_multi, AC5 US_AC5V1.0RTL_V15.03.06.28

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific firmware versions only. Other Tenda models or different firmware versions may not be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router leading to persistent backdoor installation, network traffic interception, lateral movement to internal devices, and botnet recruitment.

🟠

Likely Case

Router takeover allowing attackers to modify DNS settings, intercept traffic, disable security features, and use the device for further attacks.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in GitHub repositories. Exploitation requires sending HTTP POST request with malicious time parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for your model. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router admin interface

Firewall blocking

linux

Block access to /goform/PowerSaveSet endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/PowerSaveSet" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/goform/PowerSaveSet" --algo bm -j DROP

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for exploitation attempts and anomalous router behavior

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Upgrade section

Check Version:

curl -s http://router-ip/goform/getStatus | grep version or check web interface

Verify Fix Applied:

Verify firmware version has been updated to a version later than those listed in affected systems

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/PowerSaveSet with unusually long time parameter
Router crash/reboot logs
Unusual process execution in router logs

Network Indicators:

HTTP traffic to router on port 80/443 with PowerSaveSet in URI
Unusual outbound connections from router after exploitation

SIEM Query:

source="router_logs" AND uri="/goform/PowerSaveSet" AND method="POST"

📊 Metadata

CVE ID: CVE-2023-41562

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: August 30, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/peris-navince/founded-0-days/blob/main/setSmartPowerManagement/1.md Exploit,Third Party Advisory
https://github.com/peris-navince/founded-0-days/blob/main/setSmartPowerManagement/1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41562, you might also want to check these: