CRITICAL🇵🇱 Wersja polska

CVE-2024-40515

CVSS 9.8v3.1pub. 2024-07-16upd. 2025-07-07

An issue in SHENZHEN TENDA TECHNOLOGY CO.,LTD Tenda AX2pro V16.03.29.48_cn allows a remote attacker to execute arbitrary code via the Routing functionality.

🤖 AI Analysis
How it works

The vulnerability (classified as CWE-940 — Improper Verification of Source of a Communication Channel) is found in the device's Routing functionality. A remote attacker can, without any privileges or user interaction, send a specially crafted network request that leads to arbitrary code execution on the device. The network attack vector (AV:N) with no authentication requirements (PR:N) and no user interaction (UI:N) makes the attack exceptionally simple to carry out.

Impact

An attacker can gain full control over the device, including reading and modifying its configuration, intercepting network traffic, or using the router as an entry point to the local network (lateral movement).

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until an update is released, it is recommended to restrict access to the device management interface to trusted hosts only and disable remote management over the Internet.

Who is affected

Tenda AX2 Pro firmware version V16.03.29.48_cn

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tenda Ax2 Pro

    HW
    Tenda
    wszystkie wersje
  • Tenda Ax2 Pro Firmware

    OS
    Tenda
    16.03.29.48_cn
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2021-31755CRITICAL9.8⚠ KEVten sam vendor

An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow v...

CVE-2020-10987CRITICAL9.8⚠ KEVten sam vendor

The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute a...

CVE-2018-14558CRITICAL9.8⚠ KEVten sam vendor

An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firm...

CVE-2018-25316CRITICAL9.3PL ✓ten sam vendor

Tenda W308R v2 — obejście uwierzytelnienia i zmiana ustawień DNS

CVE-2018-25317CRITICAL9.3PL ✓ten sam vendor

Tenda W3002R/A302/W309R — obejście uwierzytelnienia i zmiana ustawień DNS