CVE-2024-46048
Published: 13 September 2024
Summary
CVE-2024-46048 is a critical-severity Command Injection (CWE-77) vulnerability in Tenda Fh451 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Tenda FH451 firmware version 1.0.0.9 contains a command injection vulnerability (CWE-77) in the formexeCommand function. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible, unauthenticated exploitation with no user interaction required and full impact on confidentiality, integrity, and availability.
An attacker able to reach the device over the network can supply crafted input to the affected function and execute arbitrary operating-system commands, resulting in complete device compromise. The supplied reference provides technical details of the injection point but does not include vendor advisory or patch information.
The associated EPSS score stands at 0.5835 with an identical peak value, indicating sustained exploitation interest since disclosure. No evidence of in-the-wild exploitation or AI/ML relevance is present in the supplied data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41772
Vulnerability details
Tenda FH451 v1.0.0.9 has a command injection vulnerability in the formexeCommand function i
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in formexeCommand enables exploitation of public-facing router web application (T1190) and arbitrary command execution via network device CLI (T1059.008).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.