CVE-2023-49428 – This CVE describes a command injection vulnerab... (How to Fix)

📋 TL;DR

This CVE describes a command injection vulnerability in Tenda AX12 routers where an attacker can execute arbitrary commands via the 'mac' parameter in the SetOnlineDevName endpoint. Attackers with network access to the router can exploit this to gain full control of the device. All users of affected Tenda AX12 routers are at risk.

💻 Affected Systems

Products:

Tenda AX12

Versions: V22.03.01.46

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface of the router. No special configuration required for exploitation.

📦 What is this software?

Ax12 Firmware by Tenda

View all CVEs affecting Ax12 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete router compromise, credential theft, network traffic interception, and lateral movement into connected devices.

🟠

Likely Case

Router takeover allowing DNS hijacking, credential harvesting, and installation of persistent malware on the router.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and strong network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and this vulnerability requires no authentication.

🏢 Internal Only: HIGH - Even internally, any device on the network could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires sending a crafted HTTP POST request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AX12
3. Access router admin panel
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router after update

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Network Segmentation

all

Isolate router management interface to trusted network segment only

🧯 If You Can't Patch

Replace affected router with different model/brand
Place router behind dedicated firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel. If version is V22.03.01.46, device is vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version has been updated to a version later than V22.03.01.46

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/SetOnlineDevName
Commands with shell metacharacters in 'mac' parameter
Unexpected process execution in router logs

Network Indicators:

HTTP POST requests to /goform/SetOnlineDevName with shell commands in parameters
Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri="/goform/SetOnlineDevName" OR (parameter="mac" AND value MATCHES "[;&|`$()]"))

📊 Metadata

CVE ID: CVE-2023-49428

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: December 7, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/ef4tless/vuln/blob/master/iot/AX12/SetOnlineDevName.md Exploit,Third Party Advisory
https://github.com/ef4tless/vuln/blob/master/iot/AX12/SetOnlineDevName.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49428, you might also want to check these: