CVE-2024-4064

Name of the Vulnerable Software and Affected Versions Tenda AC8 version 16.03.34.09

Description A critical issue affects the function R7WebsSecurityHandler of the file /goform/execCommand, leading to a stack-based buffer overflow when the password argument is manipulated. This can be exploited remotely, potentially impacting the confidentiality, integrity, and availability of protected information by sending a specially crafted POST request to the "/goform/execCommand" endpoint. The exploit has been disclosed publicly.

Recommendations For Tenda AC8 version 16.03.34.09, consider disabling the R7WebsSecurityHandler function or restricting access to the /goform/execCommand endpoint until a patch is available. Avoid using the password argument in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.