Cyber Resilience

CVE-2024-50853

HighPublic PoCRCE

Published: 13 November 2024

Published
13 November 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0508 90.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50853 is a high-severity Command Injection (CWE-77) vulnerability in Tendacn G3 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Tenda G3 v3.0 running firmware version 15.11.0.20 contains a command injection vulnerability in the formSetDebugCfg function. The flaw is tracked as CVE-2024-50853 with a CVSS 3.1 base score of 8.8 and is associated with CWE-77 and CWE-78. It permits unauthenticated remote attackers to supply crafted input that is executed by the underlying operating system.

An attacker with low-privileged network access and no user interaction required can leverage the injection to execute arbitrary commands, resulting in full compromise of confidentiality, integrity, and availability on the affected device. The vulnerability is reachable over the network and does not depend on any special configuration beyond the device's default web-management interface.

The single public reference is a technical write-up hosted on GitHub that demonstrates the injection point; no vendor advisory or firmware patch addressing mitigation steps is referenced in the available data. EPSS for the CVE rose from a low baseline to a peak of 0.1055 on 2025-12-11 before receding to the current value of 0.0508, indicating a measurable increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetDebugCfg function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in the web management interface (formSetDebugCfg) of Tenda G3 router enables exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Affected Assets

tendacn
g3 firmware
15.11.0.20

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References