CVE-2024-11248

Name of the Vulnerable Software and Affected Versions Tenda AC10 version 16.03.10.13

Description A critical issue was found in the function formSetRebootTimer of the file /goform/SetSysAutoRebbotCfg, where the manipulation of the rebootTime argument leads to a stack-based buffer overflow. This can be exploited remotely, potentially affecting the confidentiality, integrity, and availability of protected information by sending a specially crafted POST request to the /goform/SetSysAutoRebbotCfg endpoint. The exploit has been disclosed publicly.

Recommendations As a temporary workaround, consider disabling the formSetRebootTimer function until a patch is available. Restrict access to the /goform/SetSysAutoRebbotCfg endpoint to minimize the risk of exploitation. Avoid using the rebootTime argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.