CVE-2023-51094 – Tenda M3 routers running firmware version 1.0.0... (How to Fix)

📋 TL;DR

Tenda M3 routers running firmware version 1.0.0.12(4856) contain a command injection vulnerability in the TendaTelnet function. This allows remote attackers to execute arbitrary commands with root privileges. All users of affected Tenda M3 routers are vulnerable.

💻 Affected Systems

Products:

Tenda M3 Router

Versions: V1.0.0.12(4856)

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific firmware version mentioned. Other Tenda models or firmware versions may not be vulnerable.

📦 What is this software?

M3 Firmware by Tenda

View all CVEs affecting M3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent backdoors, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and use as a proxy for malicious activities.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and telnet disabled.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the vulnerability allows unauthenticated remote code execution.

🏢 Internal Only: MEDIUM - Attackers on the local network could exploit this to gain router control and pivot to other devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains exploit details and proof-of-concept. The vulnerability is in the telnet service which is often enabled by default.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not found

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. If update available, download and install via router admin interface
3. Reboot router after update
4. Verify telnet service is disabled

🔧 Temporary Workarounds

Disable Telnet Service

all

Disable the telnet service which contains the vulnerable function

telnet service stop
disable telnet in router admin interface

Restrict Network Access

linux

Block telnet port (23) at firewall and restrict router management interface access

iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

🧯 If You Can't Patch

Replace affected router with different model or vendor
Place router behind dedicated firewall with strict ingress filtering

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is exactly V1.0.0.12(4856), the device is vulnerable.

Check Version:

Check router web interface at 192.168.0.1 or 192.168.1.1 under System Status or About section

Verify Fix Applied:

After update, verify firmware version changed from V1.0.0.12(4856). Test telnet service is not responding on port 23.

📡 Detection & Monitoring

Log Indicators:

Unusual telnet connection attempts
Unexpected command execution in router logs
Failed authentication attempts to telnet service

Network Indicators:

Telnet traffic to router on port 23 from unexpected sources
Unusual outbound connections from router

SIEM Query:

source="router.log" AND ("telnet" OR "TendaTelnet") AND ("exec" OR "command" OR "injection")

📊 Metadata

CVE ID: CVE-2023-51094

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: December 26, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/GD008/TENDA/blob/main/M3/telnet/M3_telnet.md Exploit,Third Party Advisory
https://github.com/GD008/TENDA/blob/main/M3/telnet/M3_telnet.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51094, you might also want to check these: