PT-2022-27546 · Tenda · Tenda W6-S
Published
2022-12-08
·
Updated
2022-12-10
·
CVE-2022-45504
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Tenda W6-S version 1.0.0.4(510)
Description
The issue affects the component tpi systool handle(0) and is related to the API endpoint /goform/SysToolRestoreSet. This allows unauthenticated attackers to arbitrarily reboot the device.
Recommendations
For Tenda W6-S version 1.0.0.4(510), consider restricting access to the /goform/SysToolRestoreSet endpoint until a patch is available. As a temporary workaround, limit the ability of unauthenticated users to interact with the tpi systool handle(0) component to minimize the risk of exploitation.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tenda W6-S