CVE-2020-13393

Name of the Vulnerable Software and Affected Versions Tenda AC6 version 1.0 V15.03.05.19 multi TD01 Tenda AC9 version 1.0 V15.03.05.19(6318) CN Tenda AC9 version 3.0 V15.03.06.42 multi Tenda AC15 version 1.0 V15.03.05.19 multi TD01 Tenda AC18 version 15.03.05.19(6318) CN

Description A buffer overflow issue exists in the router's web server, specifically in the httpd. The vulnerability occurs when processing the "deviceId" and "time" parameters for a POST request to the "/goform/saveParentControlInfo" endpoint. An attacker can exploit this by constructing a payload to carry out arbitrary code execution attacks.

Recommendations For Tenda AC6 version 1.0 V15.03.05.19 multi TD01, consider disabling the httpd service until a patch is available. For Tenda AC9 version 1.0 V15.03.05.19(6318) CN, restrict access to the "/goform/saveParentControlInfo" endpoint to minimize the risk of exploitation. For Tenda AC9 version 3.0 V15.03.06.42 multi, avoid using the deviceId and time parameters in the affected API endpoint until the issue is resolved. For Tenda AC15 version 1.0 V15.03.05.19 multi TD01, consider temporarily disabling the httpd service to prevent exploitation. For Tenda AC18 version 15.03.05.19(6318) CN, restrict access to the vulnerable httpd service until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.