Login Sign Up

CVE-2024-4118

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Tenda W15E routers allows remote attackers to execute arbitrary code by sending specially crafted requests to the formIPMacBindAdd function. This affects Tenda W15E routers running firmware version 15.11.0.14. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:
  • Tenda W15E
Versions: 15.11.0.14
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running the vulnerable firmware version are affected. The vulnerable endpoint is accessible via web interface.

📦 What is this software?

W15e Firmware by Tenda

View all CVEs affecting W15e Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement to internal networks, persistent backdoor installation, and botnet recruitment.

🟠

Likely Case

Device takeover enabling network traffic interception, credential theft, denial of service, and use as attack platform against internal systems.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub. Remote exploitation requires no authentication. Simple buffer overflow with predictable exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider replacing affected devices or implementing workarounds.

🔧 Temporary Workarounds

Network Access Control

linux

Block external access to router web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Turn off remote management feature in router settings

🧯 If You Can't Patch

  • Isolate affected routers in separate VLAN with strict firewall rules
  • Implement network monitoring for exploit attempts and anomalous traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at 192.168.0.1 or using command: curl -s http://192.168.0.1/goform/getStatus | grep version

Check Version:

curl -s http://192.168.0.1/goform/getStatus | grep -o '"version":"[^"]*"'

Verify Fix Applied:

Verify firmware version is no longer 15.11.0.14. Test endpoint with safe payload to confirm overflow is prevented.

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /goform/addIpMacBind with long IPMacBindRule parameters
  • Device crash/restart logs
  • Unusual process execution

Network Indicators:

  • HTTP POST requests to router IP on port 80/443 with oversized parameters
  • Traffic patterns indicating exploit delivery

SIEM Query:

source="router.log" AND (url="/goform/addIpMacBind" AND content_length>1000)

📊 Metadata

CVE ID: CVE-2024-4118
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: April 24, 2024
Last Updated: January 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4118, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)