CVE-2024-2707

Name of the Vulnerable Software and Affected Versions Tenda AC10U versions 15.03.06.49

Description The issue is related to the function formWriteFacMac, specifically the /goform/WriteFacMac endpoint, where a lack of proper sanitization of special elements in the command allows for os command injection. This can be exploited by a remote attacker to execute arbitrary commands. The manipulation of the mac argument is key to this exploit.

Recommendations For version 15.03.06.49, as a temporary workaround, consider restricting access to the /goform/WriteFacMac endpoint to minimize the risk of exploitation. Avoid using the mac argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.