CVE-2020-13391

Name of the Vulnerable Software and Affected Versions Tenda AC6 version 1.0 V15.03.05.19 multi TD01 Tenda AC9 version 1.0 V15.03.05.19(6318) CN Tenda AC9 version 3.0 V15.03.06.42 multi Tenda AC15 version 1.0 V15.03.05.19 multi TD01 Tenda AC18 version 15.03.05.19(6318) CN

Description A buffer overflow issue exists in the router's web server, specifically in the httpd. The vulnerability occurs when processing the speed dir parameter for a POST request to the "/goform/SetSpeedWan" API endpoint. An attacker can exploit this by constructing a payload that allows for arbitrary code execution attacks.

Recommendations For Tenda AC6 version 1.0 V15.03.05.19 multi TD01, consider disabling the httpd service until a patch is available. For Tenda AC9 version 1.0 V15.03.05.19(6318) CN, restrict access to the "/goform/SetSpeedWan" API endpoint to minimize the risk of exploitation. For Tenda AC9 version 3.0 V15.03.06.42 multi, avoid using the speed dir parameter in the affected API endpoint until the issue is resolved. For Tenda AC15 version 1.0 V15.03.05.19 multi TD01, restrict access to the vulnerable httpd service to minimize the risk of exploitation. For Tenda AC18 version 15.03.05.19(6318) CN, consider disabling the httpd service until a patch is available.