Cyber Resilience

CVE-2024-3908

MediumPublic PoC

Published: 17 April 2024

Published
17 April 2024
Modified
17 January 2025
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0761 92.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3908 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda Ac500 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical command injection vulnerability exists in Tenda AC500 firmware version 2.0.1.9(1307). The flaw resides in the formWriteFacMac function within the /goform/WriteFacMac endpoint, where unsanitized input to the mac argument allows arbitrary command execution. It is tracked as CVE-2024-3908 with a CVSS 3.1 score of 6.3 and is associated with CWE-77.

An authenticated remote attacker can send a crafted HTTP request to the affected endpoint to inject and execute operating system commands. Successful exploitation yields limited read, write, and impact capabilities on the device without requiring user interaction.

Public proof-of-concept code has been released, and the vendor was notified prior to disclosure but provided no response or patch. The EPSS score remains flat at 0.0761 with no observed increase after publication.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in Tenda AC500 2.0.1.9(1307). Affected is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. It is possible to launch the attack remotely. The…

more

exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261144. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

The unauthenticated command injection vulnerability in the Tenda AC500 router's public-facing web interface (/goform/WriteFacMac) enables exploitation of a public-facing application (T1190) and indirect command execution (T1202) by injecting arbitrary commands via the 'mac' parameter.

Affected Assets

tenda
ac500 firmware
2.0.1.9\(1307\)

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References