CVE-2024-4171

Name of the Vulnerable Software and Affected Versions: Tenda W30E versions 1.0 through 1.0.1.25

Description: A critical issue has been found in the function fromWizardHandle of the file /goform/WizardHandle, which is related to a stack-based buffer overflow. The manipulation of the argument PPW can lead to this overflow. It is possible to launch the attack remotely by sending specially crafted POST requests, potentially allowing an attacker to execute arbitrary code. The issue has been publicly disclosed and may be exploited.

Recommendations: For Tenda W30E versions 1.0 through 1.0.1.25, as a temporary workaround, consider disabling the fromWizardHandle function until a patch is available. Restrict access to the /goform/WizardHandle file to minimize the risk of exploitation. Avoid using the PPW argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.