Exploit
CVE-2024-50853

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Nov 13, 2024 / Updated: 6d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A command injection vulnerability was discovered in the Tenda G3 v3.0 router running firmware version 15.11.0.20. The vulnerability is specifically located in the formSetDebugCfg function. This vulnerability allows an attacker with access to the adjacent network and low privileges to execute arbitrary commands on the affected device.

Impact

The potential impact of this vulnerability is severe. It could lead to complete compromise of the system's confidentiality, integrity, and availability. An attacker could potentially gain unauthorized access, modify system configurations, or disrupt services running on the affected device. The CVSS base score of 8.0 indicates a high severity, with high impacts on confidentiality, integrity, and availability. The attack vector is from an adjacent network, requires low attack complexity, and no user interaction, making it relatively easy to exploit for an attacker with the right positioning.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no mention of an available patch for this vulnerability. Users of the affected Tenda G3 v3.0 router with firmware version 15.11.0.20 should monitor the vendor's website for any security updates or patches that may be released in the future.

Mitigation

Until a patch is available, the following mitigation strategies are recommended: 1. Limit access to the router's management interface to trusted networks only. 2. Implement strong network segmentation to isolate the affected devices. 3. Monitor for any suspicious activities or unauthorized access attempts. 4. If possible, consider replacing the affected router with a more secure alternative. 5. Regularly check for and apply any firmware updates provided by Tenda. 6. Disable remote management features if they are not absolutely necessary.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-50853

Nov 13, 2024 at 3:15 PM
First Article

Feedly found the first article mentioning CVE-2024-50853. See article

Nov 13, 2024 at 3:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 13, 2024 at 3:34 PM
CVSS

A CVSS base score of 8 has been assigned.

Nov 14, 2024 at 2:35 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.1%)

Nov 14, 2024 at 2:35 PM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Nov 14, 2024 at 4:10 PM
Static CVE Timeline Graph

Affected Systems

Tendacn/g3_firmware
+null more

Exploits

https://github.com/zp9080/Tenda/blob/main/Tenda-G3v3.0%20V15.11.0.20-formSetDebugCfg/overview.md
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI