CVE-2024-2895 – This critical vulnerability in Tenda AC7 router... (How to Fix)

Q: What is the severity of CVE-2024-2895?

CVE-2024-2895 has a CVSS score of 8.8 (HIGH). This critical vulnerability in Tenda AC7 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the WPS configuration function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users of Tenda AC7 routers with firmware version 15.03.06.44 are affected.

📋 TL;DR

This critical vulnerability in Tenda AC7 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the WPS configuration function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users of Tenda AC7 routers with firmware version 15.03.06.44 are affected.

💻 Affected Systems

Products:

Tenda AC7

Versions: 15.03.06.44

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the affected firmware version are vulnerable by default. The vulnerable function is part of the web management interface.

📦 What is this software?

Ac7 Firmware by Tenda

View all CVEs affecting Ac7 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistent backdoor installation, network traffic interception, and lateral movement to other devices on the network.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as part of a botnet.

🟢

If Mitigated

Limited impact if device is behind strict network segmentation with no internet exposure and all unnecessary services disabled.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing routers directly exposed to attackers.

🏢 Internal Only: MEDIUM - Still exploitable from within the network, but requires initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details are available on GitHub. The vulnerability requires no authentication and has straightforward exploitation due to the buffer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch is available. The vendor did not respond to disclosure. Consider replacing affected devices or implementing workarounds.

🔧 Temporary Workarounds

Disable WPS and web management interface

all

Disable WiFi Protected Setup (WPS) and the web management interface to remove the attack surface.

Access router admin panel -> Wireless Settings -> Disable WPS
Access router admin panel -> System Tools -> Disable Remote Management

Network segmentation and firewall rules

linux

Isolate the router on a separate VLAN and restrict access to management interfaces.

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Replace affected Tenda AC7 routers with devices from vendors that provide security updates
Place routers behind a dedicated firewall that blocks all traffic to the management interface from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Login to router admin panel -> System Tools -> Firmware Upgrade to see current version.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version or check web interface manually

Verify Fix Applied:

No official fix exists to verify. Verify workarounds by confirming WPS is disabled and management interface is not accessible from untrusted networks.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/WifiWpsOOB
Multiple failed buffer overflow attempts in system logs
Unexpected process crashes or restarts

Network Indicators:

Unusual traffic patterns to router management interface
Suspicious POST requests with long parameter values for 'index' parameter

SIEM Query:

source="router_logs" AND (url="/goform/WifiWpsOOB" OR message="buffer overflow" OR message="segmentation fault")

📊 Metadata

CVE ID: CVE-2024-2895

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 26, 2024

Last Updated: January 22, 2025

🔗 References

https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/AC7/v1/formWifiWpsOOB.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.257938 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.257938 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.300358 Third Party Advisory,VDB Entry
https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/AC7/v1/formWifiWpsOOB.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.257938 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.257938 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.300358 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2895, you might also want to check these: