CVE-2024-50853
Published: 13 November 2024
Summary
CVE-2024-50853 is a high-severity Command Injection (CWE-77) vulnerability in Tendacn G3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Tenda G3 v3.0 running firmware version 15.11.0.20 contains a command injection vulnerability in the formSetDebugCfg function. The flaw is tracked as CVE-2024-50853 with a CVSS 3.1 base score of 8.8 and is associated with CWE-77 and CWE-78. It permits unauthenticated remote attackers to supply crafted input that is executed by the underlying operating system.
An attacker with low-privileged network access and no user interaction required can leverage the injection to execute arbitrary commands, resulting in full compromise of confidentiality, integrity, and availability on the affected device. The vulnerability is reachable over the network and does not depend on any special configuration beyond the device's default web-management interface.
The single public reference is a technical write-up hosted on GitHub that demonstrates the injection point; no vendor advisory or firmware patch addressing mitigation steps is referenced in the available data. EPSS for the CVE rose from a low baseline to a peak of 0.1055 on 2025-12-11 before receding to the current value of 0.0508, indicating a measurable increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45028
Vulnerability details
Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetDebugCfg function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the web management interface (formSetDebugCfg) of Tenda G3 router enables exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.