CVE-2021-31755
Published: 07 May 2021
Summary
CVE-2021-31755 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Tenda Ac11 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A stack buffer overflow vulnerability exists in Tenda AC11 wireless routers running firmware versions through 02.03.01.104_CN. The flaw is located in the /goform/setmac endpoint and is tracked as CWE-787. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated attack complexity.
An unauthenticated attacker can send a crafted HTTP POST request to the affected endpoint and trigger the overflow to execute arbitrary code on the device. Successful exploitation grants full control of the router, enabling actions such as traffic interception, persistence, or lateral movement within the attached network.
The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. Public proof-of-concept material is available in repositories that demonstrate request construction against the setmac handler, underscoring the need for immediate firmware updates or network segmentation where patches are unavailable.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-18639
Vulnerability details
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandatory input validation on the /goform/setmac handler would reject the oversized POST body before the stack buffer is overwritten.
Applying the vendor firmware update that corrects the CWE-787 flaw in setmac eliminates the exploitable condition entirely.
Hardware-enforced memory protections (e.g., NX, stack canaries) raise the difficulty of converting the overflow into reliable code execution.