Cyber Resilience

CVE-2024-46048

CriticalPublic PoCRCE

Published: 13 September 2024

Published
13 September 2024
Modified
20 September 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5835 98.2th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46048 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Fh451 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Tenda FH451 firmware version 1.0.0.9 contains a command injection vulnerability (CWE-77) in the formexeCommand function. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible, unauthenticated exploitation with no user interaction required and full impact on confidentiality, integrity, and availability.

An attacker able to reach the device over the network can supply crafted input to the affected function and execute arbitrary operating-system commands, resulting in complete device compromise. The supplied reference provides technical details of the injection point but does not include vendor advisory or patch information.

The associated EPSS score stands at 0.5835 with an identical peak value, indicating sustained exploitation interest since disclosure. No evidence of in-the-wild exploitation or AI/ML relevance is present in the supplied data.

EU & UK References

Vulnerability details

Tenda FH451 v1.0.0.9 has a command injection vulnerability in the formexeCommand function i

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection in formexeCommand enables exploitation of public-facing router web application (T1190) and arbitrary command execution via network device CLI (T1059.008).

Affected Assets

tenda
fh451 firmware
1.0.0.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References