CVE-2023-47456 – Tenda AX1806 routers running firmware V1.0.0.1 ... (How to Fix)

📋 TL;DR

Tenda AX1806 routers running firmware V1.0.0.1 contain a stack overflow vulnerability in the wireless repeater configuration function. This allows remote attackers to execute arbitrary code on the device, potentially gaining full control. All users of affected routers are at risk.

💻 Affected Systems

Products:

Tenda AX1806

Versions: V1.0.0.1

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default wireless repeater configuration function. No special configuration required for exploitation.

📦 What is this software?

Ax1806 Firmware by Tenda

View all CVEs affecting Ax1806 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to connected devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attacker to modify router settings, intercept traffic, or use device as proxy for attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and strong network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available in GitHub repository. Exploitation requires network access to router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check Tenda support site for firmware updates
2. Download latest firmware for AX1806
3. Log into router admin interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload and install new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Wireless Repeater Function

all

Disable the vulnerable wireless repeater feature to prevent exploitation

Restrict Web Interface Access

all

Limit access to router admin interface to trusted IP addresses only

🧯 If You Can't Patch

Isolate affected router in separate VLAN with strict firewall rules
Implement network monitoring for unusual traffic patterns from router

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status. If version is V1.0.0.1, device is vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version has been updated to a version later than V1.0.0.1

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/setWirelessRepeat
Multiple failed authentication attempts to router admin

Network Indicators:

Unusual outbound connections from router
Traffic spikes from router to unknown external IPs

SIEM Query:

source="router-logs" AND (uri="/goform/setWirelessRepeat" OR method="POST" AND uri LIKE "%/goform/%")

📊 Metadata

CVE ID: CVE-2023-47456

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-787

Published: November 7, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/Anza2001/IOT_VULN/blob/main/Tenda/AX1806/fromSetWirelessRepeat.md Exploit,Third Party Advisory
https://github.com/Anza2001/IOT_VULN/blob/main/Tenda/AX1806/fromSetWirelessRepeat.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47456, you might also want to check these: