CVE-2024-42634
📋 TL;DR
This critical vulnerability allows remote attackers to execute arbitrary operating system commands with root privileges on Tenda AC9 routers. Attackers can exploit the command injection flaw in the httpd binary's formWriteFacMac function to gain complete control of affected devices. All users running vulnerable firmware versions are at risk.
💻 Affected Systems
- Tenda AC9
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the device as part of botnets or for cryptomining.
Likely Case
Attackers gain root access to the router, enabling them to modify DNS settings, intercept credentials, deploy malware to connected devices, and use the router for malicious activities.
If Mitigated
With proper network segmentation and firewall rules, impact could be limited to the router itself without allowing lateral movement to other systems.
🎯 Exploit Status
The GitHub reference contains technical details and proof-of-concept information that could be weaponized. The vulnerability requires no authentication and has low exploitation complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: Yes
Instructions:
1. Check Tenda's official website for firmware updates. 2. If available, download the latest firmware for AC9. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and install the new firmware. 6. Reboot the router.
🔧 Temporary Workarounds
Disable Remote Management
allTurn off remote management/administration features to prevent external exploitation
Network Segmentation
allPlace the router in a separate network segment with strict firewall rules
🧯 If You Can't Patch
- Replace the vulnerable router with a different model that receives security updates
- Implement strict network monitoring and intrusion detection for the router's network segment
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via admin interface. If version is v15.03.06.42, the device is vulnerable.Check Version:
Log into router admin interface and navigate to System Status or About page to view firmware version.Verify Fix Applied:
After updating firmware, verify the version is no longer v15.03.06.42 and check that the formWriteFacMac endpoint no longer accepts malicious input.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to formWriteFacMac endpoint
- Suspicious command execution in router logs
- Multiple failed login attempts followed by successful access
Network Indicators:
- Unusual outbound connections from router
- DNS hijacking or redirection
- Unexpected SSH or telnet connections to router
SIEM Query:
source="router_logs" AND (uri="*formWriteFacMac*" OR command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")