CVE-2024-2900

Name of the Vulnerable Software and Affected Versions Tenda AC7 version 15.03.06.44

Description A critical issue was found in the saveParentControlInfo function of the /goform/saveParentControlInfo file, which is related to a stack-based buffer overflow. This can be exploited remotely by manipulating the deviceId/time/urls argument, potentially leading to a denial of service or the execution of arbitrary code.

Recommendations For Tenda AC7 version 15.03.06.44, as a temporary workaround, consider disabling the saveParentControlInfo function until a patch is available. Restrict access to the /goform/saveParentControlInfo endpoint to minimize the risk of exploitation. Avoid using the deviceId/time/urls argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.