Login Sign Up

CVE-2024-2893

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This critical vulnerability in Tenda AC7 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the device name setting function. Attackers can exploit this without authentication to potentially take full control of affected routers. All users running Tenda AC7 firmware version 15.03.06.44 are affected.

💻 Affected Systems

Products:
  • Tenda AC7
Versions: 15.03.06.44
Operating Systems: Embedded Linux firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface which is typically enabled by default on port 80/443.

📦 What is this software?

Ac7 Firmware by Tenda

View all CVEs affecting Ac7 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with persistent backdoor installation, credential theft, network traffic interception, and pivot to internal network devices.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential harvesting, and botnet recruitment for DDoS attacks.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access, though internal attacks remain possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub, remote exploitation without authentication, simple buffer overflow technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Consider replacing affected hardware or implementing strict network controls.

🔧 Temporary Workarounds

Disable Remote Management

all

Disable web management interface from WAN/Internet access

Access router admin panel > System Tools > Remote Management > Disable

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Replace affected Tenda AC7 routers with different models from vendors with better security track records
  • Implement strict firewall rules blocking all inbound traffic to router management interfaces (ports 80, 443, 8080)

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel: System Tools > Firmware Upgrade > Current Version

Check Version:

curl -s http://router-ip/ | grep -i 'firmware version' or check web interface

Verify Fix Applied:

Verify firmware version is different from 15.03.06.44

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/SetOnlineDevName with long devName parameters
  • Router crash/reboot logs

Network Indicators:

  • HTTP POST requests to router IP on port 80/443 with oversized devName parameter
  • Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri="/goform/SetOnlineDevName" AND content_length>100) OR (process="httpd" AND event="crash")

📊 Metadata

CVE ID: CVE-2024-2893
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: March 26, 2024
Last Updated: January 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2893, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)