Cyber Resilience

CVE-2024-2991

MediumPublic PoC

Published: 27 March 2024

Published
27 March 2024
Modified
22 January 2025
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0610 91.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2991 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda Fh1203 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-2991 is a command injection vulnerability affecting the Tenda FH1203 router running firmware version 2.0.1.6. It exists in the formWriteFacMac function of the /goform/WriteFacMac endpoint, where unsanitized input to the mac argument permits execution of arbitrary operating system commands. The issue is tracked under CWE-77 and carries a CVSS 3.1 score of 6.3.

An attacker with low-privileged network access can trigger the flaw remotely without user interaction, resulting in limited effects on confidentiality, integrity, and availability. Public exploit code has already been published that demonstrates the injection technique against the affected endpoint.

The vendor was notified prior to disclosure but provided no response or patch. The associated EPSS score has remained flat at 0.0610 with no material rise since publication, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

A vulnerability has been found in Tenda FH1203 2.0.1.6 and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. The attack can be initiated remotely. The…

more

exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-258160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection in router web interface (/goform/WriteFacMac) enables remote exploitation of public-facing application (T1190), indirect command execution (T1202 as noted in advisory), and arbitrary Unix shell command execution (T1059.004).

Affected Assets

tenda
fh1203 firmware
2.0.1.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References