Login Sign Up

CVE-2024-2977

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Tenda F1203 routers allows remote attackers to execute arbitrary code by manipulating the PPPOEPassword parameter. This affects Tenda F1203 firmware version 2.0.1.6. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:
  • Tenda F1203
Versions: 2.0.1.6
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running the vulnerable firmware version are affected. The vulnerable endpoint is accessible via web interface.

📦 What is this software?

F1203 Firmware by Tenda

View all CVEs affecting F1203 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, persistent backdoor installation, and botnet recruitment.

🟠

Likely Case

Device takeover for credential theft, network traffic interception, or use as a pivot point for internal attacks.

🟢

If Mitigated

Limited to denial of service if exploit attempts are blocked at network perimeter.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication on internet-facing devices.
🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Contact Tenda support for firmware updates. Consider replacing affected devices if no patch is forthcoming.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Tenda F1203 routers from internet and restrict access to management interfaces.

Access Control Lists

linux

Block access to /goform/QuickIndex endpoint at network perimeter.

iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/QuickIndex" --algo bm -j DROP

🧯 If You Can't Patch

  • Replace affected Tenda F1203 routers with alternative models from different vendors
  • Implement strict network segmentation to isolate vulnerable devices from critical assets

🔍 How to Verify

Check if Vulnerable:

Check router web interface for firmware version. If version is 2.0.1.6, device is vulnerable.

Check Version:

Access router web interface at http://[router-ip]/ and check firmware version in system settings

Verify Fix Applied:

Verify firmware version has been updated to a version later than 2.0.1.6.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /goform/QuickIndex with long PPPOEPassword parameters
  • Unusual process execution or memory errors in router logs

Network Indicators:

  • HTTP traffic to router IP on port 80 with POST to /goform/QuickIndex
  • Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri_path="/goform/QuickIndex" OR http_method="POST" AND uri_path CONTAINS "QuickIndex")

📊 Metadata

CVE ID: CVE-2024-2977
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: March 27, 2024
Last Updated: January 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2977, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)