CVE-2024-50667 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-50667?

CVE-2024-50667 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Trendnet TEW-820AP routers via stack overflow in the boa HTTP daemon when processing IPv6 configuration requests. Attackers can exploit insufficient IPv6 address validation in specific web form endpoints to gain full control of affected devices. All users of Trendnet TEW-820AP routers with vulnerable firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Trendnet TEW-820AP routers via stack overflow in the boa HTTP daemon when processing IPv6 configuration requests. Attackers can exploit insufficient IPv6 address validation in specific web form endpoints to gain full control of affected devices. All users of Trendnet TEW-820AP routers with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Trendnet TEW-820AP

Versions: 1.01.B01 (specific vulnerable version confirmed)

Operating Systems: Embedded Linux (boa HTTPd)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when IPv6 features are accessible via web interface.

📦 What is this software?

Tew 820ap Firmware by Trendnet

View all CVEs affecting Tew 820ap Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and IPv6 is disabled.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the exploit requires no authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access, but external exploitation is more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains vulnerability details and likely exploitation methods. CVSS 9.8 indicates trivial exploitation with high impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.trendnet.com/support/support-detail.asp?prod=100_TEW-820AP

Restart Required: Yes

Instructions:

1. Check Trendnet website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable IPv6 on router

all

Prevent exploitation by disabling IPv6 functionality entirely

Access router admin interface -> Network -> IPv6 -> Disable

Restrict web interface access

all

Limit admin interface access to trusted IP addresses only

Access router admin interface -> Security -> Access Control -> Restrict to specific IPs

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for exploitation attempts and block malicious IPs

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Update section

Check Version:

curl -s http://router-ip/ | grep -i firmware or check web interface

Verify Fix Applied:

Verify firmware version is newer than 1.01.B01 and test IPv6 form endpoints with invalid input

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /boafrm/formIPv6Addr, /boafrm/formIpv6Setup, /boafrm/formDnsv6 with long parameters
Router crash/restart logs
Unusual process execution in system logs

Network Indicators:

HTTP requests with abnormally long IPv6 address parameters
Traffic patterns suggesting reverse shell connections from router

SIEM Query:

source="router_logs" AND (uri="/boafrm/formIPv6Addr" OR uri="/boafrm/formIpv6Setup" OR uri="/boafrm/formDnsv6") AND parameter_length>100

📊 Metadata

CVE ID: CVE-2024-50667

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: November 11, 2024

Last Updated: April 1, 2025

🔗 References

https://github.com/ixout/iotVuls/blob/main/Trendnet/TEW_820/report.md Exploit,Third Party Advisory
https://www.trendnet.com/support/support-detail.asp?prod=100_TEW-820AP Broken Link,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50667, you might also want to check these: