CVE-2024-8224

Name of the Vulnerable Software and Affected Versions Tenda G3 version 15.11.0.20

Description A critical issue has been found in the Tenda G3, affecting the formSetDebugCfg function of the file /goform/setDebugCfg. The manipulation of the enable/level/module argument leads to a stack-based buffer overflow. This issue can be exploited remotely, allowing an attacker to execute arbitrary code by sending specially crafted POST requests. The exploit has been disclosed to the public. The vendor was contacted about this disclosure but did not respond.

Recommendations As a temporary workaround, consider disabling the formSetDebugCfg function until a patch is available. Restrict access to the /goform/setDebugCfg endpoint to minimize the risk of exploitation. Avoid using the enable/level/module argument in the affected API endpoint until the issue is resolved. Update your devices immediately to prevent remote attacks. Segment vulnerable devices to limit the potential damage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.