In Tenda ac9 v1.0 with firmware V15.03.05.14_multi, the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote arbitrary code execution.
The vulnerability results from insufficient validation of input data length for the rebootTime parameter sent to the /goform/SetSysAutoRebbotCfg endpoint. An excessively long parameter value causes stack buffer overflow (stack overflow, CWE-121), overwriting stack control data, including the function return address. The attacker can thus redirect code execution to their own payload, achieving remote code execution (RCE) without the need for authentication.
A remote attacker without any privileges can take full control of the device by executing arbitrary code (RCE), which potentially leads to violations of confidentiality, integrity, and system availability.
Apply patches available from the manufacturer according to the references. Until an update is released, it is recommended to restrict access to the device's administrative panel exclusively to trusted local networks and block access to the management interface from external networks using a firewall.
Tenda AC9 v1.0 with firmware V15.03.05.14_multi
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTenda Ac9
HWTenda1.0Tenda Ac9 Firmware
OSTenda15.03.05.14_multi
Related vulnerabilities
An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firm...
Command injection w funkcji Telnet routera Tenda AC9
Command injection w Tenda AC9 — funkcja formSetSambaConf (parametr usbname)
Command injection w Tenda AC9 via parametr deviceName
Tenda AC9 – stack overflow w WifiBasicSet umożliwia zdalny RCE