CVE-2024-48826
Published: 28 October 2024
Summary
CVE-2024-48826 is a high-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Tenda AC7 firmware version 15.03.06.44 contains a pre-authentication command injection vulnerability in the ate_iwpriv_set function. The flaw, tracked as CVE-2024-48826 and assigned CWE-78, permits unauthenticated remote code execution and carries a CVSS 3.1 base score of 8.8 reflecting network-adjacent attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
An attacker positioned on the same local network segment can send specially crafted requests to the affected endpoint without supplying credentials or user interaction, resulting in arbitrary command execution on the device. This grants the ability to compromise the router's configuration, intercept traffic, or pivot to connected systems.
The single public reference is a technical report detailing the vulnerability but does not include vendor advisory information or patch availability. The associated EPSS score has remained flat at 0.0514 with no observed increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43120
Vulnerability details
Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Pre-authentication command injection in Tenda AC7 router's ate_iwpriv_set enables remote exploitation of a public-facing application (T1190) for arbitrary code execution via Unix shell commands (T1059.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.