CVE-2024-57703
Published: 16 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-57703 is a stack-based buffer overflow vulnerability in Tenda AC8v4 firmware version V16.03.34.06. The issue affects the setSchedWifi function within the /goform/openSchedWifi endpoint, where manipulation of the schedEndTime argument triggers the overflow. This flaw is classified under CWE-787 (Out-of-bounds Write) and CWE-120 (Buffer Copy without Checking Size of Input), earning a CVSS v3.1 base score of 9.8, indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the affected web interface over the network. Successful exploitation leads to a stack-based buffer overflow, potentially allowing arbitrary code execution, denial of service, or unauthorized access with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Mitigation details and proof-of-concept information are available in the referenced advisory at https://github.com/Pr0b1em/IoT/blob/master/Tenda%20AC8v4%20V16.03.34.06.md. Security practitioners should check for firmware updates from Tenda and apply network segmentation or exposure controls to vulnerable devices until patched.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The stack-based buffer overflow in the web interface function /goform/openSchedWifi of the Tenda AC8v4 router is exploitable remotely via a crafted schedEndTime parameter, enabling exploitation of a public-facing application.