Login Sign Up

CVE-2024-4239

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Tenda AX1806 routers allows remote attackers to execute arbitrary code by manipulating the rebootTime parameter. This affects Tenda AX1806 routers running firmware version 1.0.0.1. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:
  • Tenda AX1806
Versions: 1.0.0.1
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running the vulnerable firmware version are affected. The vulnerable endpoint is accessible via web interface.

📦 What is this software?

Ax1806 Firmware by Tenda

View all CVEs affecting Ax1806 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence, lateral movement, and botnet recruitment.

🟠

Likely Case

Device takeover, credential theft, DNS hijacking, and network surveillance.

🟢

If Mitigated

Denial of service or device crash if exploit fails or is blocked.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing routers.
🏢 Internal Only: MEDIUM - Internal routers could be targeted via phishing or compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires no authentication and has a simple exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Contact Tenda support for firmware updates. If update becomes available, download from official Tenda website and flash via web interface.

🔧 Temporary Workarounds

Disable remote management

all

Disable remote administration features to prevent external exploitation.

Access router web interface > Advanced > System Tools > Remote Management > Disable

Network segmentation

all

Isolate affected routers in separate VLANs to limit lateral movement.

🧯 If You Can't Patch

  • Replace affected routers with different models or brands
  • Implement strict network access controls to limit traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Login > Advanced > System Tools > Firmware Upgrade. If version is 1.0.0.1, device is vulnerable.

Check Version:

curl -s http://router-ip/goform/getStatus | grep version

Verify Fix Applied:

Verify firmware version is no longer 1.0.0.1. Test if /goform/SetRebootTimer endpoint still accepts malformed rebootTime parameter.

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /goform/SetRebootTimer with long rebootTime parameters
  • Device reboot logs following suspicious requests

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains
  • Traffic patterns indicating command and control

SIEM Query:

source="router_logs" AND (url="/goform/SetRebootTimer" AND content_length>100) OR (event="reboot" AND source_ip!=local_admin)

📊 Metadata

CVE ID: CVE-2024-4239
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: April 26, 2024
Last Updated: January 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4239, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)