CVE-2024-35339 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-35339?

CVE-2024-35339 has a CVSS score of 9.8 (CRITICAL). This CVE describes a command injection vulnerability in Tenda FH1206 routers that allows remote attackers to execute arbitrary commands on the device. Attackers can exploit this by sending specially crafted requests to the vulnerable endpoint, potentially gaining full control of the router. This affects users running the vulnerable firmware version on Tenda FH1206 routers.

📋 TL;DR

This CVE describes a command injection vulnerability in Tenda FH1206 routers that allows remote attackers to execute arbitrary commands on the device. Attackers can exploit this by sending specially crafted requests to the vulnerable endpoint, potentially gaining full control of the router. This affects users running the vulnerable firmware version on Tenda FH1206 routers.

💻 Affected Systems

Products:

Tenda FH1206

Versions: V1.2.0.8(8155)

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web management interface and is accessible by default. No special configuration is required for exploitation.

📦 What is this software?

Fh1206 Firmware by Tenda

View all CVEs affecting Fh1206 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent backdoors, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Attackers gain shell access to the router, modify network settings, intercept credentials, and potentially compromise connected devices.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface, making internet-facing routers immediately vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Even internally, any attacker with network access can exploit this vulnerability to compromise the router.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has a simple exploitation path via HTTP POST requests. Public proof-of-concept demonstrates command execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates. 2. Download latest firmware for FH1206. 3. Access router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Block Vulnerable Endpoint

linux

Use router firewall or external firewall to block access to the vulnerable endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "ip/goform/WriteFacMac" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "ip/goform/WriteFacMac" --algo bm -j DROP

Disable Remote Management

all

Turn off remote management access to the router's web interface

🧯 If You Can't Patch

Isolate the router on a dedicated VLAN with strict firewall rules
Implement network monitoring for suspicious requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or System Tools. If version is V1.2.0.8(8155), the device is vulnerable.

Check Version:

curl -s http://router-ip/ | grep -i firmware || ssh admin@router-ip 'cat /etc/version'

Verify Fix Applied:

After updating firmware, verify version has changed from V1.2.0.8(8155) to a newer version. Test the endpoint with safe payloads to confirm command injection is no longer possible.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /ip/goform/WriteFacMac with unusual mac parameter values
System logs showing unexpected command execution or process creation

Network Indicators:

HTTP traffic containing shell metacharacters in POST parameters
Outbound connections from router to suspicious IPs

SIEM Query:

source="router-logs" AND (url="/ip/goform/WriteFacMac" AND (method="POST") AND (param="mac" CONTAINS "|" OR param="mac" CONTAINS ";" OR param="mac" CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2024-35339

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 24, 2024

Last Updated: April 9, 2025

🔗 References

https://palm-vertebra-fe9.notion.site/formWriteFacMac_RCE-d70cf636739e4a769b1f919ffed4a2a0 Exploit,Third Party Advisory
https://palm-vertebra-fe9.notion.site/formWriteFacMac_RCE-d70cf636739e4a769b1f919ffed4a2a0 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35339, you might also want to check these: