CVE-2024-57704

HighPublic PoC

Published: 16 January 2025

Published

16 January 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0031 54.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-57704 is a stack-based buffer overflow vulnerability (CWE-787) affecting Tenda AC8v4 router firmware version V16.03.34.06. The flaw resides in the setSchedWifi function within the /goform/openSchedWifi file, where manipulation of the schedStartTime argument triggers the overflow.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with low attack complexity. Exploitation requires low privileges, such as those of an authenticated user, and no user interaction. Successful exploitation can compromise confidentiality, integrity, and availability to a high degree.

Advisories and mitigation details are available in the referenced GitHub repository at https://github.com/Pr0b1em/IoT/blob/master/Tenda%20AC8v4%20V16.03.34.06.md. No specific patch information is detailed in the provided CVE data.

Details

CWE(s): CWE-787

Affected Products

tenda

ac8 firmware

16.03.34.06

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack overflow in public-facing web interface (/goform/openSchedWifi) enables remote code execution via exploitation of the vulnerable router application.

References

https://github.com/Pr0b1em/IoT/blob/master/Tenda%20AC8v4%20V16.03.34.06.md
Exploit, Third Party Advisory · cve@mitre.org