CVE-2024-40417

6.5 MEDIUM

Remote Code Execution Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability exists in Tenda AX1806 routers running firmware version 1.0.0.1. Attackers can exploit this by sending specially crafted requests to the /goform/SetIpMacBind endpoint, potentially allowing remote code execution. This affects users who haven't updated their router firmware.

💻 Affected Systems

Products:

• Tenda AX1806

Versions: 1.0.0.1

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface which is typically enabled by default on local network.

📦 What is this software?

Ax1806 Firmware by Tenda

View all CVEs affecting Ax1806 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full control of the router, enabling traffic interception, network pivoting, or persistent backdoor installation.

🟠

Likely Case

Router crashes or becomes unstable, causing denial of service for connected devices.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact is limited to the router itself without lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available in GitHub repository shows exploitation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not found

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. Download latest firmware for AX1806
3. Access router admin panel
4. Navigate to System Tools > Firmware Upgrade
5. Upload and apply new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

• Replace affected router with different model/brand
• Implement strict firewall rules blocking access to port 80/443 on router IP

🔍 How to Verify

Check if Vulnerable:

Copy

Check router firmware version in admin panel under System Status

Check Version:

Copy

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Copy

Verify firmware version is no longer 1.0.0.1 after update

📡 Detection & Monitoring

Log Indicators:

• Multiple POST requests to /goform/SetIpMacBind with large payloads
• Router crash/reboot logs

Network Indicators:

• Unusual HTTP traffic to router management port with oversized parameters

SIEM Query:

Copy

source="router.log" AND (url="/goform/SetIpMacBind" AND content_length>1000)

📊 Metadata

CVE ID: CVE-2024-40417

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

Published: July 10, 2024

Last Updated: April 7, 2025

🔗 References

• https://github.com/Feng-ZZ-pwn/IOT/blob/main/Tenda%20AX_1806/1/SetIpMacBind.md Broken Link
• https://github.com/Feng-ZZ-pwn/IOT/blob/main/Tenda%20AX_1806/1/SetIpMacBind.md Broken Link

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40417, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)

CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)

CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)