CVE-2023-41563

Name of the Vulnerable Software and Affected Versions Tenda AC9 versions V3.0 V15.03.06.42 multi Tenda AC5 versions US AC5V1.0RTL V15.03.06.28

Description The issue is related to a stack overflow in the GetParentControlInfo() function of Tenda AC9 and Tenda AC5 router software. This occurs when the mac parameter is processed, allowing a remote attacker to potentially execute arbitrary code or cause a denial of service. The vulnerability is exploited via the API endpoint "/goform/GetParentControlInfo" with the vulnerable mac parameter.

Recommendations For Tenda AC9 version V3.0 V15.03.06.42 multi, consider disabling the GetParentControlInfo() function until a patch is available. For Tenda AC5 version US AC5V1.0RTL V15.03.06.28, restrict access to the "/goform/GetParentControlInfo" API endpoint to minimize the risk of exploitation. Avoid using the mac parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.