CVE-2024-2897

Name of the Vulnerable Software and Affected Versions Tenda AC7 version 15.03.06.44

Description A critical issue is present in the Tenda AC7 router's software, related to the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the mac argument leads to os command injection. This allows a remote attacker to execute arbitrary commands. The issue can be exploited remotely.

Recommendations For Tenda AC7 version 15.03.06.44, as a temporary workaround, consider disabling the formWriteFacMac function until a patch is available. Restrict access to the /goform/WriteFacMac endpoint to minimize the risk of exploitation. Avoid using the mac argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.