CVE-2024-3908

Name of the Vulnerable Software and Affected Versions Tenda AC500 version 2.0.1.9(1307)

Description The issue is related to the function formWriteFacMac of the /goform/WriteFacMac file, where the manipulation of the mac parameter can lead to command injection. This can be exploited remotely, allowing an attacker to execute arbitrary code. The vendor was contacted about this disclosure but did not respond.

Recommendations For Tenda AC500 version 2.0.1.9(1307), as a temporary workaround, consider disabling the formWriteFacMac function until a patch is available. Restrict access to the /goform/WriteFacMac endpoint to minimize the risk of exploitation. Avoid using the mac parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.