CVE-2024-10697 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Tenda AC6 routers by injecting malicious commands into the 'mac' parameter of the formWriteFacMac API endpoint. Attackers can take full control of affected devices without authentication. Only Tenda AC6 routers running firmware version 15.03.05.19 are affected.

💻 Affected Systems

Products:

Tenda AC6

Versions: 15.03.05.19

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration; no special settings required for exploitation.

📦 What is this software?

Ac6 Firmware by Tenda

View all CVEs affecting Ac6 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with ability to pivot to internal network, intercept/modify traffic, install persistent malware, or use as botnet node.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, or deployment of cryptocurrency miners.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted API access, though still vulnerable to internal threats.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available; exploitation requires simple HTTP POST request with command injection payload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tenda.com.cn/

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AC6
3. Upload via router admin interface
4. Reboot router after update

🔧 Temporary Workarounds

Block API Endpoint Access

linux

Restrict access to vulnerable /goform/WriteFacMac endpoint using firewall rules

iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/WriteFacMac" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/goform/WriteFacMac" --algo bm -j DROP

Disable Remote Management

all

Turn off WAN access to router admin interface

🧯 If You Can't Patch

Replace affected Tenda AC6 routers with different models/brands
Place routers behind dedicated firewall with strict inbound filtering

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface; if version is 15.03.05.19, device is vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version has changed from 15.03.05.19 to newer version after update.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/WriteFacMac with unusual mac parameter values
Router logs showing unexpected command execution

Network Indicators:

Unusual outbound connections from router IP
DNS queries to suspicious domains from router

SIEM Query:

source="router_logs" AND uri_path="/goform/WriteFacMac" AND (mac="*;*" OR mac="*|*" OR mac="*`*")

📊 Metadata

CVE ID: CVE-2024-10697

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: November 2, 2024

Last Updated: April 5, 2025

🔗 References

https://github.com/theRaz0r/iot-mycve/blob/main/tenda_ac6_rce_WriteFacMac/tenda_ac6_rce_WriteFacMac.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.282865 Permissions Required,Third Party Advisory
https://vuldb.com/?id.282865 Permissions Required,Third Party Advisory
https://vuldb.com/?submit.434934 Third Party Advisory
https://www.tenda.com.cn/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10697, you might also want to check these: