CVE-2024-2990 – This critical vulnerability in Tenda FH1203 rou... (How to Fix)

Q: What is the severity of CVE-2024-2990?

CVE-2024-2990 has a CVSS score of 8.8 (HIGH). This critical vulnerability in Tenda FH1203 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the formexeCommand function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users running vulnerable firmware versions are affected.

📋 TL;DR

This critical vulnerability in Tenda FH1203 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the formexeCommand function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users running vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Tenda FH1203

Versions: 2.0.1.6 (likely affects earlier versions too)

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint /goform/execCommand appears to be accessible by default. No special configuration required for exploitation.

📦 What is this software?

Fh1203 Firmware by Tenda

View all CVEs affecting Fh1203 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound rules, though internal network exposure remains a concern.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and public exploit details exist.

🏢 Internal Only: HIGH - Even internally, the vulnerability can be exploited by any network-adjacent attacker to compromise the router.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains detailed exploitation information. The vulnerability requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

No official patch available. Consider replacing affected devices with supported models from vendors that provide security updates.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Tenda FH1203 routers in separate VLAN with strict firewall rules blocking access to management interfaces.

Access Control Lists

all

Implement network ACLs to restrict access to router management interface (port 80/443) to trusted IP addresses only.

🧯 If You Can't Patch

Replace affected Tenda FH1203 routers with devices from vendors that provide security updates
Deploy network monitoring to detect exploitation attempts and isolate compromised devices immediately

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at 192.168.0.1 or 192.168.1.1. If version is 2.0.1.6 or earlier, device is likely vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version or check web interface

Verify Fix Applied:

No fix available to verify. Consider testing with network vulnerability scanner for CVE-2024-2990 detection.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /goform/execCommand with unusual cmdinput parameter values
Router crash/restart logs
Unusual process execution in router logs

Network Indicators:

HTTP traffic to router IP on port 80/443 with POST to /goform/execCommand containing long cmdinput parameters
Sudden outbound connections from router to suspicious IPs

SIEM Query:

source="router_logs" AND (url="/goform/execCommand" OR cmdinput="*")

📊 Metadata

CVE ID: CVE-2024-2990

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 27, 2024

Last Updated: January 15, 2025

🔗 References

https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1203/formexeCommand.md Exploit
https://vuldb.com/?ctiid.258159 Permissions Required,VDB Entry
https://vuldb.com/?id.258159 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.301365 Third Party Advisory,VDB Entry
https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1203/formexeCommand.md Exploit
https://vuldb.com/?ctiid.258159 Permissions Required,VDB Entry
https://vuldb.com/?id.258159 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.301365 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2990, you might also want to check these: