Cyber Resilience

CVE-2024-48826

HighPublic PoC

Published: 28 October 2024

Published
28 October 2024
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0514 90.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48826 is a high-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Tenda AC7 firmware version 15.03.06.44 contains a pre-authentication command injection vulnerability in the ate_iwpriv_set function. The flaw, tracked as CVE-2024-48826 and assigned CWE-78, permits unauthenticated remote code execution and carries a CVSS 3.1 base score of 8.8 reflecting network-adjacent attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An attacker positioned on the same local network segment can send specially crafted requests to the affected endpoint without supplying credentials or user interaction, resulting in arbitrary command execution on the device. This grants the ability to compromise the router's configuration, intercept traffic, or pivot to connected systems.

The single public reference is a technical report detailing the vulnerability but does not include vendor advisory information or patch availability. The associated EPSS score has remained flat at 0.0514 with no observed increase since disclosure.

EU & UK References

Vulnerability details

Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Pre-authentication command injection in Tenda AC7 router's ate_iwpriv_set enables remote exploitation of a public-facing application (T1190) for arbitrary code execution via Unix shell commands (T1059.004).

Affected Assets

tenda
ac7 firmware
15.03.06.44

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References