CVE-2024-46435
Published: 10 February 2025
Description
A stack overflow vulnerability in the Tenda W18E V16.01.0.8(1625) web management portal allows an authenticated remote attacker to cause a denial of service or potentially execute arbitrary code. This vulnerability occurs due to improper input validation when handling user-supplied data in the delFacebookPic function.
Security Summary
CVE-2024-46435 is a stack overflow vulnerability affecting the web management portal of the Tenda W18E router running firmware version V16.01.0.8(1625). The issue stems from improper input validation when processing user-supplied data in the delFacebookPic function, which can lead to a buffer overflow condition. This flaw, classified under CWE-121, has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An authenticated remote attacker with low privileges, operating from an adjacent network (AV:A), can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to trigger a denial of service by crashing the device or, potentially, execute arbitrary code, granting high-level control over the affected router.
Mitigation details and further analysis are provided in the advisory published by Redda Solutions at https://reddassolutions.com/blog/tenda_w18e_security_research. Security practitioners should consult this reference for any recommended patches or workarounds specific to the Tenda W18E.
Details
- CWE(s)