Login Sign Up

CVE-2023-51100

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in Tenda W9 routers that allows attackers to execute arbitrary commands on the device. The vulnerability exists in the formGetDiagnoseInfo function and affects users running the vulnerable firmware version. Attackers can exploit this to gain full control of the router.

💻 Affected Systems

Products:
  • Tenda W9
Versions: V1.0.0.7(4456)_CN
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only the Chinese firmware version appears to be confirmed vulnerable. Other regional versions may also be affected.

📦 What is this software?

W9 Firmware by Tenda

View all CVEs affecting W9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept traffic, modify configurations, install persistent backdoors, and pivot to internal networks.

🟠

Likely Case

Remote code execution leading to router compromise, DNS hijacking, credential theft, and network surveillance.

🟢

If Mitigated

Limited impact if network segmentation isolates the router and external access is restricted.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them accessible to remote attackers.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists on GitHub. The vulnerability appears to be remotely exploitable without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. Download the latest firmware for W9 router. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply the new firmware. 6. Reboot the router.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router administration interface

Network segmentation

all

Isolate router management interface to trusted network segments only

🧯 If You Can't Patch

  • Replace affected routers with different models or brands
  • Implement strict firewall rules to block all external access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is V1.0.0.7(4456)_CN, the device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Information page.

Verify Fix Applied:

Verify firmware version has been updated to a version later than V1.0.0.7(4456)_CN.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to formGetDiagnoseInfo endpoint
  • Suspicious command execution in system logs
  • Unexpected process creation

Network Indicators:

  • Unusual outbound connections from router
  • Traffic to unexpected destinations
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND (uri="/goform/GetDiagnoseInfo" OR process="formGetDiagnoseInfo")

📊 Metadata

CVE ID: CVE-2023-51100
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: December 26, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51100, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)