Login Sign Up

CVE-2023-49429

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2023-49429 is a SQL injection vulnerability in Tenda AX9 routers that allows attackers to execute arbitrary SQL commands through the 'mac' parameter in the setDeviceInfo feature. This affects all users running vulnerable firmware versions, potentially leading to complete device compromise. Attackers can exploit this without authentication to manipulate the router's database.

💻 Affected Systems

Products:
  • Tenda AX9
Versions: V22.03.01.46 and likely earlier versions
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable as the feature is part of the web management interface.

📦 What is this software?

Ax9 Firmware by Tenda

View all CVEs affecting Ax9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router takeover leading to credential theft, network traffic interception, malware deployment, and pivot to internal network devices.

🟠

Likely Case

Router configuration manipulation, credential extraction, and denial of service through database corruption.

🟢

If Mitigated

Limited impact if network segmentation isolates the router and external access is blocked.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and the exploit requires no authentication.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exists showing simple HTTP POST exploitation. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates 2. Download latest firmware 3. Upload via web interface 4. Reboot router

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router web interface

Access router settings > Disable 'Remote Management' or 'Web Access from WAN'

Network segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block external access to port 80/443 on router IP

🧯 If You Can't Patch

  • Replace vulnerable router with patched alternative
  • Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or About page

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is newer than V22.03.01.46

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/setModules
  • SQL error messages in logs
  • Multiple failed authentication attempts

Network Indicators:

  • HTTP requests with SQL injection patterns in 'mac' parameter
  • Unexpected database queries from router

SIEM Query:

source="router_logs" AND (url="/goform/setModules" OR message="SQL" OR message="database")

📊 Metadata

CVE ID: CVE-2023-49429
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49429, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)