CVE-2024-10283

Name of the Vulnerable Software and Affected Versions: Tenda RX9 and RX9 Pro version 22.03.02.20

Description: A critical issue has been found, affecting the function sub 4337EC of the file /goform/SetNetControlList. The manipulation of the list argument leads to a stack-based buffer overflow. This can be exploited remotely, potentially allowing an attacker to cause a denial of service by sending a specially crafted POST request to the /goform/SetNetControlList endpoint.

Recommendations: For Tenda RX9 and RX9 Pro version 22.03.02.20, as a temporary workaround, consider disabling the sub 4337EC function until a patch is available. Restrict access to the /goform/SetNetControlList endpoint to minimize the risk of exploitation. Avoid using the list argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.