CVE-2023-36103
Published: 10 September 2024
Summary
CVE-2023-36103 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-36103 is a command injection vulnerability (CWE-77) in the goform/SetIPTVCfg interface of Tenda AC15 routers running firmware V15.03.05.20. The flaw permits unauthenticated remote attackers to supply a crafted POST request that results in execution of arbitrary operating-system commands on the device.
An attacker with network access can leverage the issue without credentials or user interaction to achieve full control over the router, including the ability to read or modify configuration, intercept traffic, or pivot into attached networks. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting its critical severity and ease of exploitation over the network.
A publicly available proof-of-concept exploit for the issue has been posted on GitHub. The current and peak EPSS values are both 0.1280, indicating a stable moderate exploitation probability without a material rise after disclosure. No vendor advisory or patch information is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40083
Vulnerability details
Command Injection vulnerability in goform/SetIPTVCfg interface of Tenda AC15 V15.03.05.20 allows remote attackers to run arbitrary commands via crafted POST request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.