CVE-2024-2982
Published: 27 March 2024
Summary
CVE-2024-2982 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda Fh1202 Firmware. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-2982 is a command-injection vulnerability in the Tenda FH1202 router running firmware version 1.2.0.14(408). It resides in the formWriteFacMac function of the /goform/WriteFacMac endpoint, where unsanitized input supplied to the mac argument is passed directly to an operating-system command.
An authenticated attacker on the local network can supply a crafted mac value to execute arbitrary commands on the device. The CVSS 3.1 score of 5.5 reflects adjacent-network access with low attack complexity and low-privileged credentials, resulting in limited impacts to confidentiality, integrity, and availability.
Public proof-of-concept code has been published on GitHub, and the issue was disclosed without vendor response or patch information. The EPSS score has remained flat at 0.0514 since publication, indicating no measurable increase in observed exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-27922
Vulnerability details
A vulnerability has been found in Tenda FH1202 1.2.0.14(408) and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. The exploit has been disclosed…
more
to the public and may be used. The associated identifier of this vulnerability is VDB-258151. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via web form parameter 'mac' in Tenda FH1202 router enables arbitrary OS command execution, facilitating Network Device CLI abuse (T1059.008) and Indirect Command Execution (T1202) as noted in the advisory.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.