Login Sign Up

CVE-2024-4120

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Tenda W15E routers allows remote attackers to execute arbitrary code by sending specially crafted requests to the formIPMacBindModify function. This affects all users of Tenda W15E routers running version 15.11.0.14. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:
  • Tenda W15E
Versions: 15.11.0.14
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running the affected firmware version are vulnerable by default.

📦 What is this software?

W15e Firmware by Tenda

View all CVEs affecting W15e Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full router compromise, credential theft, network traffic interception, and lateral movement into connected devices.

🟠

Likely Case

Router compromise leading to denial of service, DNS hijacking, or credential harvesting from connected devices.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and routers are typically internet-facing devices.
🏢 Internal Only: MEDIUM - Could still be exploited from within the network by compromised devices or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Contact Tenda support for firmware updates or replace affected devices.

🔧 Temporary Workarounds

Disable remote management

all

Disable WAN access to router administration interface

Network segmentation

all

Place router in isolated network segment with strict firewall rules

🧯 If You Can't Patch

  • Replace affected Tenda W15E routers with different models or brands
  • Implement strict network monitoring and intrusion detection for suspicious traffic to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at 192.168.0.1 or 192.168.1.1, login and navigate to System Status or About page.

Check Version:

No CLI command available. Must use web interface.

Verify Fix Applied:

Verify firmware version has been updated to a version newer than 15.11.0.14 (if available).

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /goform/modifyIpMacBind with long parameter values
  • Router crash/reboot logs
  • Unusual process execution

Network Indicators:

  • HTTP POST requests to router IP on port 80 targeting /goform/modifyIpMacBind with unusually long parameters

SIEM Query:

http.method:POST AND http.uri:"/goform/modifyIpMacBind" AND (http.param_length > 100 OR http.request_size > 500)

📊 Metadata

CVE ID: CVE-2024-4120
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: April 24, 2024
Last Updated: January 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4120, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)