CVE-2024-30599 – CVE-2024-30599 is a stack overflow vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2024-30599 is a stack overflow vulnerability in Tenda FH1203 routers that allows remote code execution by sending specially crafted requests to the addWifiMacFilter function. Attackers can exploit this to take control of affected routers. This affects Tenda FH1203 v2.0.1.6 users who have the vulnerable firmware.

💻 Affected Systems

Products:

Tenda FH1203

Versions: v2.0.1.6

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface of the router. No special configuration required for exploitation.

📦 What is this software?

Fh1203 Firmware by Tenda

View all CVEs affecting Fh1203 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent malware, intercept all network traffic, pivot to internal networks, and use device as part of botnet.

🟠

Likely Case

Remote code execution leading to device takeover, network traffic interception, and potential credential theft from connected devices.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices with web management interfaces exposed.

🏢 Internal Only: MEDIUM - Could still be exploited by internal attackers or malware that reaches the internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires sending crafted HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for FH1203
3. Access router web interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload and install new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Disable web interface access from WAN/Internet

Access router web interface > Advanced > System Tools > Remote Management > Disable

Restrict Management Access

all

Limit management interface access to specific IPs

Access router web interface > Advanced > Security > Access Control > Add allowed IPs

🧯 If You Can't Patch

Replace vulnerable device with different model/brand
Place router behind firewall that blocks all inbound traffic to management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface: System Status > Firmware Version

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is no longer v2.0.1.6 after update

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /goform/addWifiMacFilter
Large deviceMac parameter values in logs
Multiple failed authentication attempts followed by successful exploit

Network Indicators:

HTTP traffic to router IP on port 80/443 with unusually long deviceMac parameter
Outbound connections from router to suspicious IPs post-exploitation

SIEM Query:

source="router_logs" AND (uri="/goform/addWifiMacFilter" AND deviceMac.length>100) OR (process="malicious_binary" AND host="router_ip")

📊 Metadata

CVE ID: CVE-2024-30599

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 28, 2024

Last Updated: March 13, 2025

🔗 References

https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1203/addWifiMacFilter_deviceMac.md Exploit,Third Party Advisory
https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1203/addWifiMacFilter_deviceMac.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30599, you might also want to check these: