Login Sign Up

CVE-2024-10661

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This critical vulnerability in Tenda AC15 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the DLNA configuration function. Attackers can exploit this without authentication to potentially take full control of affected devices. Users running vulnerable firmware versions are at immediate risk.

💻 Affected Systems

Products:
  • Tenda AC15
Versions: 15.03.05.19
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running this specific firmware version are vulnerable by default. The web interface is typically enabled.

📦 What is this software?

Ac15 Firmware by Tenda

View all CVEs affecting Ac15 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistent backdoor installation, network pivoting, and data exfiltration.

🟠

Likely Case

Router takeover enabling traffic interception, DNS manipulation, credential theft, and botnet recruitment.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though LAN exploitation remains possible.

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication on exposed devices.
🏢 Internal Only: HIGH - Exploitable from any network segment with access to the router's web interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in GitHub repository. Attack requires sending crafted HTTP POST request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload new firmware file. 6. Wait for automatic reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external exploitation by disabling WAN access to router web interface

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Replace vulnerable device with supported model
  • Implement strict firewall rules blocking access to port 80/443 on router from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or via command: curl -s http://router-ip/goform/SetDlnaCfg

Check Version:

curl -s http://router-ip | grep -i firmware || ssh admin@router 'cat /etc/version'

Verify Fix Applied:

Verify firmware version is updated beyond 15.03.05.19 and test exploit no longer works

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /goform/SetDlnaCfg with long scanList parameter
  • Router crash/reboot logs
  • Unusual process execution

Network Indicators:

  • HTTP traffic to router port 80/443 with abnormal POST data patterns
  • Outbound connections from router to suspicious IPs

SIEM Query:

source="router-logs" AND (uri_path="/goform/SetDlnaCfg" AND content_length>1000)

📊 Metadata

CVE ID: CVE-2024-10661
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: November 1, 2024
Last Updated: November 5, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10661, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)