CVE-2024-3909

Name of the Vulnerable Software and Affected Versions Tenda AC500 version 2.0.1.9(1307)

Description A critical vulnerability was found in the function formexeCommand of the file /goform/execCommand, which is related to a stack-based buffer overflow. The manipulation of the argument cmdinput can lead to this overflow. The attack can be launched remotely, and the exploit has been disclosed to the public. This allows a remote attacker to potentially execute arbitrary code using a specially crafted POST request.

Recommendations For Tenda AC500 version 2.0.1.9(1307), as a temporary workaround, consider disabling the formexeCommand function until a patch is available. Restrict access to the /goform/execCommand endpoint to minimize the risk of exploitation. Avoid using the cmdinput argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.