CVE-2023-49428

Name of the Vulnerable Software and Affected Versions Tenda AX12 version V22.03.01.46

Description The issue is related to a command injection vulnerability in the mac parameter at the "/goform/SetOnlineDevName" API endpoint. This vulnerability is due to the lack of input validation when processing the mac parameter, allowing a remote attacker to execute arbitrary commands by exploiting the SetOnlineDevName() function.

Recommendations For Tenda AX12 version V22.03.01.46, consider disabling the SetOnlineDevName() function or restricting access to the "/goform/SetOnlineDevName" API endpoint until a patch is available. Avoid using the mac parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.