CVE-2024-35339

Name of the Vulnerable Software and Affected Versions Tenda FH1206 version 1.2.0.8(8155)

Description The issue is related to a command injection vulnerability. It can be exploited via the mac parameter at the "/ip/goform/WriteFacMac" endpoint, allowing a remote attacker to execute arbitrary commands by sending a specially crafted POST request. Additionally, the vulnerability is associated with the failure to neutralize special elements used in the operating system command in the addVlan function at the "/view/networkConfig/vlan/vlan add commit.php" endpoint.

Recommendations For Tenda FH1206 version 1.2.0.8(8155), consider disabling the mac parameter in the "/ip/goform/WriteFacMac" endpoint and restricting access to the addVlan function at the "/view/networkConfig/vlan/vlan add commit.php" endpoint to minimize the risk of exploitation. Avoid using the mac parameter in the affected API endpoint until the issue is resolved.