Cyber Resilience

CVE-2024-2897

MediumPublic PoC

Published: 26 March 2024

Published
26 March 2024
Modified
22 January 2025
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0564 90.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2897 is a medium-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical OS command injection vulnerability, tracked as CVE-2024-2897 and assigned CWE-78, affects the Tenda AC7 wireless router running firmware 15.03.06.44. The flaw resides in the formWriteFacMac function of the /goform/WriteFacMac endpoint, where unsanitized input to the mac parameter is passed directly to the operating system.

An authenticated remote attacker can supply a crafted mac value to execute arbitrary commands on the device. With a CVSS score of 6.3, successful exploitation yields limited read, write, and availability impact on the affected router without requiring user interaction.

Public references, including a detailed proof-of-concept on GitHub and entries in VulDB, document the issue and confirm that the vendor was notified yet provided no response or patch. The associated EPSS score has remained flat at 0.0564 since disclosure, indicating no measurable increase in observed exploitation interest.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in Tenda AC7 15.03.06.44. Affected is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. It is possible to launch the attack remotely.…

more

The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257940. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
ac7 firmware
15.03.06.44

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References