CVE-2024-46431

HighPublic PoC

Published: 10 February 2025

Published

10 February 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Tenda W18E V16.01.0.8(1625) is vulnerable to Buffer Overflow. An attacker with access to the web management portal can exploit this vulnerability by sending specially crafted data to the delWewifiPic function.

Security Summary

CVE-2024-46431 is a buffer overflow vulnerability (CWE-120) affecting the Tenda W18E router running firmware version V16.01.0.8(1625). The flaw resides in the delWewifiPic function within the web management portal, where specially crafted data can trigger the overflow.

An attacker with low privileges (PR:L) and adjacent network access (AV:A) can exploit this vulnerability with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation grants high-impact confidentiality, integrity, and availability consequences (C:H/I:H/A:H), potentially allowing arbitrary code execution on the device.

The primary advisory is detailed in a security research blog at https://reddassolutions.com/blog/tenda_w18e_security_research, which covers the vulnerability discovery but does not specify patch availability or mitigation steps in the provided information.

Details

CWE(s): CWE-120

Affected Products

tenda

w18e firmware

16.01.0.8\(1625\)

References

https://reddassolutions.com/blog/tenda_w18e_security_research
Exploit, Third Party Advisory · cve@mitre.org