CVE-2024-33835 – This CVE describes a stack overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-33835?

CVE-2024-33835 has a CVSS score of 9.8 (CRITICAL). This CVE describes a stack overflow vulnerability in Tenda AC18 routers that allows remote attackers to execute arbitrary code by sending specially crafted requests to the vulnerable parameter. The vulnerability affects Tenda AC18 routers running firmware version V15.03.05.05. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

This CVE describes a stack overflow vulnerability in Tenda AC18 routers that allows remote attackers to execute arbitrary code by sending specially crafted requests to the vulnerable parameter. The vulnerability affects Tenda AC18 routers running firmware version V15.03.05.05. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda AC18

Versions: V15.03.05.05

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the web management interface's formSetSafeWanWebMan function. Default configurations appear vulnerable as the function is part of the management interface.

📦 What is this software?

Ac18 Firmware by Tenda

View all CVEs affecting Ac18 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full root shell access to the router, enabling them to intercept all network traffic, install persistent malware, pivot to internal networks, and brick the device.

🟠

Likely Case

Remote attacker executes arbitrary code with root privileges, potentially creating a botnet node, intercepting credentials, or modifying router configuration.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact is limited to the router itself, though device compromise still allows traffic interception and lateral movement attempts.

🌐 Internet-Facing: HIGH - The vulnerable function appears to be accessible remotely without authentication, making internet-exposed devices immediately vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to gain router control, but requires network access to the management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub reference contains technical details about the vulnerability and exploitation method. Stack overflow vulnerabilities in embedded devices are frequently weaponized due to their remote, unauthenticated nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. Download the latest firmware for AC18. 3. Access router web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install the new firmware. 6. Wait for router to reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the vulnerable web management interface

Access router web interface > System Tools > Remote Management > Disable

Restrict Management Interface Access

all

Limit access to router management interface to trusted IPs only

Access router web interface > Security > Firewall > Add rule to block WAN access to management ports

🧯 If You Can't Patch

Isolate the router in a separate VLAN with strict firewall rules preventing internet access to management interfaces
Implement network monitoring for unusual traffic patterns or exploit attempts targeting the router

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: System Status > Firmware Version. If version is V15.03.05.05, device is vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

After updating firmware, verify version is no longer V15.03.05.05. Test by attempting to access the vulnerable endpoint with proper security testing tools.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to formSetSafeWanWebMan endpoint
Large payloads sent to remoteIp parameter
Router reboot events following suspicious requests

Network Indicators:

HTTP POST requests to /goform/setSafeWanWebMan with oversized remoteIp parameter
Unusual outbound connections from router after exploitation

SIEM Query:

source="router_logs" AND (uri_path="/goform/setSafeWanWebMan" AND remoteIp.length>100)

📊 Metadata

CVE ID: CVE-2024-33835

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: May 1, 2024

Last Updated: April 10, 2025

🔗 References

https://github.com/isBigChen/iot/blob/main/tenda/formSetSafeWanWebMan.md Exploit,Third Party Advisory
https://github.com/isBigChen/iot/blob/main/tenda/formSetSafeWanWebMan.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33835, you might also want to check these: