CVE-2024-3008 – This critical vulnerability in Tenda FH1205 rou... (How to Fix)

Q: What is the severity of CVE-2024-3008?

CVE-2024-3008 has a CVSS score of 8.8 (HIGH). This critical vulnerability in Tenda FH1205 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the formexeCommand function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users of Tenda FH1205 routers with version 2.0.0.7(775) are affected.

📋 TL;DR

This critical vulnerability in Tenda FH1205 routers allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the formexeCommand function. Attackers can exploit this without authentication to potentially take full control of affected devices. All users of Tenda FH1205 routers with version 2.0.0.7(775) are affected.

💻 Affected Systems

Products:

Tenda FH1205

Versions: 2.0.0.7(775)

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running this specific firmware version are vulnerable by default. The vulnerable endpoint is accessible via web interface.

📦 What is this software?

Fh1205 Firmware by Tenda

View all CVEs affecting Fh1205 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

If properly segmented and firewalled, impact limited to the router itself without lateral movement to other network segments.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and public exploit code exists.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires attacker presence on the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

No official patch available. Consider replacing affected devices or implementing workarounds.

🔧 Temporary Workarounds

Block Web Interface Access

all

Restrict access to the router's web management interface to trusted IP addresses only

Configure firewall rules to block external access to port 80/443 on the router
Use router's built-in access control to restrict management IPs

Disable Remote Management

all

Turn off remote management features if enabled

Login to router admin panel
Navigate to System Tools > Remote Management
Disable remote management

🧯 If You Can't Patch

Segment affected routers on isolated network segments
Implement strict egress filtering to prevent compromised devices from contacting command and control servers

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at 192.168.0.1 or 192.168.1.1, login and check System Status > Firmware Version

Check Version:

curl -s http://router-ip/goform/getStatus | grep version or check web interface manually

Verify Fix Applied:

No official fix available to verify. Workarounds can be verified by testing if web interface is inaccessible from untrusted networks.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/execCommand
Multiple failed buffer overflow attempts in web server logs
Unexpected process crashes or router reboots

Network Indicators:

Unusual outbound connections from router to unknown IPs
Traffic patterns suggesting command and control communication
Port scanning originating from router

SIEM Query:

source="router_logs" AND (url="/goform/execCommand" OR cmdinput=*)

📊 Metadata

CVE ID: CVE-2024-3008

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 27, 2024

Last Updated: January 15, 2025

🔗 References

https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1205/formexeCommand.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.258294 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.258294 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.301487 Third Party Advisory,VDB Entry
https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1205/formexeCommand.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.258294 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.258294 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.301487 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3008, you might also want to check these: