CVE-2024-46435

HighPublic PoC

Published: 10 February 2025

Published

10 February 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0166 82.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46435 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Tenda W18E Firmware. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 17.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper input validation in the delFacebookPic function that causes the stack overflow.

SI-16 Memory Protection good match

prevent

Provides memory protections such as stack canaries, ASLR, and DEP to mitigate stack overflow exploits leading to DoS or code execution.

SI-2 Flaw Remediation good match

preventrecover

Ensures timely remediation of the specific stack overflow flaw through firmware patching or updates for the Tenda W18E.

NVD Description

A stack overflow vulnerability in the Tenda W18E V16.01.0.8(1625) web management portal allows an authenticated remote attacker to cause a denial of service or potentially execute arbitrary code. This vulnerability occurs due to improper input validation when handling user-supplied data…

in the delFacebookPic function.

Deeper analysisAI

CVE-2024-46435 is a stack overflow vulnerability affecting the web management portal of the Tenda W18E router running firmware version V16.01.0.8(1625). The issue stems from improper input validation when processing user-supplied data in the delFacebookPic function, which can lead to a buffer overflow condition. This flaw, classified under CWE-121, has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An authenticated remote attacker with low privileges, operating from an adjacent network (AV:A), can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to trigger a denial of service by crashing the device or, potentially, execute arbitrary code, granting high-level control over the affected router.

Mitigation details and further analysis are provided in the advisory published by Redda Solutions at https://reddassolutions.com/blog/tenda_w18e_security_research. Security practitioners should consult this reference for any recommended patches or workarounds specific to the Tenda W18E.

Details

CWE(s): CWE-121

Affected Products

tenda

w18e firmware

16.01.0.8\(1625\)

CVEs Like This One

CVE-2024-46434Same product: Tenda W18E

CVE-2024-46436Same product: Tenda W18E

CVE-2024-46433Same product: Tenda W18E

CVE-2024-46432Same product: Tenda W18E

CVE-2024-46431Same product: Tenda W18E

CVE-2024-46429Same product: Tenda W18E

CVE-2025-70651Same vendor: Tenda

CVE-2025-70746Same vendor: Tenda

CVE-2025-69763Same vendor: Tenda

CVE-2025-69762Same vendor: Tenda

References

https://reddassolutions.com/blog/tenda_w18e_security_research
Exploit, Third Party Advisory · cve@mitre.org