CVE-2024-46450
Published: 16 January 2025
Summary
CVE-2024-46450 is a high-severity Missing Authorization (CWE-862) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-46450 is an incorrect access control vulnerability, classified under CWE-862 (Missing Authorization), affecting the Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 running firmware version v15.03.06.50. The issue stems from flawed access controls in the router's web interface, enabling attackers to bypass authentication mechanisms through a specially crafted web request.
The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. Remote attackers require no privileges and can exploit it over the network with low attack complexity, though it demands user interaction, such as clicking a malicious link or visiting a crafted page. Successful exploitation grants high confidentiality and integrity impacts, potentially allowing unauthorized access to sensitive router configurations or data.
Mitigation details are available in the referenced advisory at https://pastebin.com/BXxTqsZk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42221
Vulnerability details
Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public router web interface directly enables exploitation of a public-facing application for unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing authentication bypass via crafted web requests in the router's interface.
Explicitly identifies and authorizes only specific actions performable without identification or authentication, countering missing authorization that enables unauthorized access.
Validates the integrity of web request inputs, mitigating crafted requests that exploit flawed access controls in the router firmware.