Login Sign Up

CVE-2024-4247

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Tenda i21 routers allows remote attackers to execute arbitrary code by manipulating the ssidIndex parameter in the formQosManage_auto function. This affects Tenda i21 router firmware version 1.0.0.14(4656). Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:
  • Tenda i21
Versions: 1.0.0.14(4656)
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running this firmware version are vulnerable by default. The vulnerable function is accessible via web interface.

📦 What is this software?

I21 Firmware by Tenda

View all CVEs affecting I21 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence installation, lateral movement to internal networks, and botnet recruitment.

🟠

Likely Case

Router takeover allowing traffic interception, DNS hijacking, credential theft, and denial of service.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Contact Tenda support for firmware updates. Consider replacing affected devices if no patch is forthcoming.

🔧 Temporary Workarounds

Network Isolation

all

Place affected routers behind firewalls with strict inbound filtering to block external exploitation attempts.

Access Restriction

all

Disable remote administration and restrict web interface access to trusted internal IP addresses only.

🧯 If You Can't Patch

  • Replace affected Tenda i21 routers with patched or alternative devices
  • Implement strict network segmentation to isolate vulnerable devices from critical assets

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at http://router_ip/status.asp or http://router_ip/goform/getStatus

Check Version:

curl -s http://router_ip/status.asp | grep -i version

Verify Fix Applied:

Verify firmware version has been updated beyond 1.0.0.14(4656) or device has been replaced

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP POST requests to /goform/formQosManage_auto
  • Multiple failed exploitation attempts with malformed ssidIndex parameters
  • Sudden router configuration changes

Network Indicators:

  • External IP addresses accessing router web interface on port 80/443
  • Unusual outbound connections from router to unknown destinations
  • DNS or routing table modifications

SIEM Query:

source="router_logs" AND (uri="/goform/formQosManage_auto" OR method="POST" AND uri CONTAINS "QosManage")

📊 Metadata

CVE ID: CVE-2024-4247
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: April 27, 2024
Last Updated: January 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4247, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)