CVE-2024-8225

Name of the Vulnerable Software and Affected Versions Tenda G3 version 15.11.0.20

Description The issue is related to a stack-based buffer overflow in the formSetSysTime function of the Tenda G3 wireless access point. This can be exploited by sending specially crafted POST requests to the /goform/SetSysTimeCfg endpoint, allowing a remote attacker to execute arbitrary code. The manipulation of the sysTimePolicy argument leads to this buffer overflow. The exploit has been disclosed publicly, and it is possible to launch the attack remotely.

Recommendations For Tenda G3 version 15.11.0.20, consider disabling the formSetSysTime function or restricting access to the /goform/SetSysTimeCfg endpoint until a patch is available. Avoid using the sysTimePolicy argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.