CVE-2023-49429

Name of the Vulnerable Software and Affected Versions Tenda AX9 version V22.03.01.46

Description The issue is related to a SQL command injection vulnerability in the setDeviceInfo feature. This vulnerability can be exploited through the mac parameter at the "/goform/setModules" API endpoint. The vulnerability arises from the lack of protection against SQL query structure manipulation when handling the mac parameter. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary commands.

Recommendations For Tenda AX9 version V22.03.01.46, consider disabling the setDeviceInfo feature or restricting access to the "/goform/setModules" API endpoint to minimize the risk of exploitation until a patch is available. Avoid using the mac parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.