CVE-2024-2993 – This critical vulnerability in Tenda FH1203 rou... (How to Fix)

Q: What is the severity of CVE-2024-2993?

CVE-2024-2993 has a CVSS score of 8.8 (HIGH). This critical vulnerability in Tenda FH1203 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the PPPOE password handling function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users of Tenda FH1203 routers with firmware version 2.0.1.6 are affected.

📋 TL;DR

This critical vulnerability in Tenda FH1203 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the PPPOE password handling function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users of Tenda FH1203 routers with firmware version 2.0.1.6 are affected.

💻 Affected Systems

Products:

Tenda FH1203

Versions: 2.0.1.6

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default web management interface accessible via HTTP. No special configuration is required for exploitation.

📦 What is this software?

Fh1203 Firmware by Tenda

View all CVEs affecting Fh1203 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, enabling attackers to create persistent backdoors, intercept network traffic, pivot to internal networks, or join botnets.

🟠

Likely Case

Remote code execution allowing attackers to install malware, modify device configuration, or disrupt network services.

🟢

If Mitigated

Denial of service or device crash if exploit fails to achieve code execution.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices are still vulnerable to attacks from compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub, making exploitation trivial for attackers with basic skills. The vendor has not responded to disclosure attempts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch is available. Monitor Tenda's website for firmware updates and apply immediately when released.

🔧 Temporary Workarounds

Disable WAN Management

all

Prevent remote access to the vulnerable interface by disabling web management from the WAN/Internet side.

Network Segmentation

all

Isolate Tenda FH1203 routers in a separate VLAN with strict firewall rules limiting access to management interfaces.

🧯 If You Can't Patch

Replace affected Tenda FH1203 routers with different models from vendors with better security track records
Implement strict network access controls to limit which IP addresses can communicate with the router's management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at http://[router-ip]/goform/QuickIndex or via SSH/Telnet if enabled. Version 2.0.1.6 is vulnerable.

Check Version:

curl -s http://[router-ip]/goform/QuickIndex | grep version or check web interface System Status page

Verify Fix Applied:

Verify firmware version has been updated to a version later than 2.0.1.6 (when available).

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/QuickIndex with long PPPOEPassword parameters
Router crash/reboot logs
Unusual outbound connections from router

Network Indicators:

HTTP requests with abnormally long PPPOEPassword parameters (> typical password length)
Traffic patterns suggesting router compromise (C2 communications)

SIEM Query:

source="router_logs" AND (uri_path="/goform/QuickIndex" AND (param_length>100 OR contains(param_value, suspicious_patterns)))

📊 Metadata

CVE ID: CVE-2024-2993

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 27, 2024

Last Updated: January 15, 2025

🔗 References

https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1203/formQuickIndex.md Exploit
https://vuldb.com/?ctiid.258162 Permissions Required,VDB Entry
https://vuldb.com/?id.258162 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.301372 Third Party Advisory,VDB Entry
https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1203/formQuickIndex.md Exploit
https://vuldb.com/?ctiid.258162 Permissions Required,VDB Entry
https://vuldb.com/?id.258162 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.301372 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2993, you might also want to check these: