Corenode

**Name of the Vulnerable Software and Affected Versions** Tenda AC10 version 16.03.10.10 multi TDE01 **Description** A remote OS command injection flaw exists in the `formAddMacfilterRule()` function within the `/bin/httpd` file. This allows a remote attacker to execute arbitrary operating system commands on the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Tenda AC10 version 16.03.10.10 multi TDE01 Description A stack-based buffer overflow can be triggered in the `fromSysToolChangePwd` function located in the `/bin/httpd` file. This occurs through manipulation of the `sys.userpass` argument, allowing for remote attacks. Recommendations Update to a newer version of Tenda AC10 that addresses this vulnerability. As a temporary workaround, restrict access to the `/bin/httpd` file or disable the `fromSysToolChangePwd` function until a patch is available.

Name of the Vulnerable Software and Affected Versions Tenda AC10 version 16.03.10.10 multi TDE01 Description A vulnerability exists in Tenda AC10 version 16.03.10.10 multi TDE01 related to the RSA 2048-bit Private Key Handler component and the file `/webroot ro/pem/privkeySrv.pem`. A manipulation of this file can lead to the use of a hard-coded cryptographic key. The attack can be launched remotely and has been publicly disclosed. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Tenda AC10 version 16.03.10.10 multi TDE01 Description A stack-based buffer overflow exists in the `fromSysToolChangePwd` function within the `/bin/httpd` file of Tenda AC10 version 16.03.10.10 multi TDE01. This manipulation can be initiated remotely and may affect multiple endpoints. Recommendations Update to a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Tenda 4G03 Pro versions 1.0 through 1.1 and 04.03.01.53 Description A security flaw exists in Tenda 4G03 Pro. The issue involves improper access controls related to an unknown functionality within the `/bin/httpd` file. The attack can be performed remotely. Recommendations Update to a newer version that addresses this issue. As a temporary workaround, restrict access to the `/bin/httpd` file.

Name of the Vulnerable Software and Affected Versions Tenda 4G03 Pro versions 1.0/1.0re/01.bin/04.03.01.53 Description A weakness exists due to the use of a hard-coded cryptographic key within the ECDSA P-256 Private Key Handler functionality associated with the file `/etc/www/pem/server.key`. This issue can be exploited remotely. Recommendations Update to a newer version that addresses this issue. As a temporary workaround, restrict access to the `/etc/www/pem/server.key` file to minimize the risk of exploitation.