CVE-2024-9793
Published: 10 October 2024
Summary
CVE-2024-9793 is a medium-severity Command Injection (CWE-77) vulnerability in Tenda Ac1206 Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command injection vulnerability exists in the Tenda AC1206 wireless router firmware up to version 15.03.06.23. The flaw resides in the ate_iwpriv_set and ate_ifconfig_set functions within the /goform/ate endpoint and stems from improper handling of attacker-supplied input, corresponding to CWE-77 and CWE-78. The issue received a CVSS 4.0 score of 5.3 and can be triggered over the network without user interaction.
An authenticated attacker with low privileges can send crafted requests to the affected endpoint and execute arbitrary operating-system commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the router but requires no special conditions beyond network reachability. Public proof-of-concept reports detail the injection technique and confirm that the vendor did not respond to disclosure.
The referenced GitHub reports and Vuldb entries contain technical descriptions and exploit details but provide no official patches or mitigation guidance, consistent with the vendor’s lack of response. The EPSS score has remained flat at 0.10 with no material increase since publication, and no information on in-the-wild exploitation is available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50119
Vulnerability details
A vulnerability classified as critical was found in Tenda AC1206 up to 15.03.06.23. This vulnerability affects the function ate_iwpriv_set/ate_ifconfig_set of the file /goform/ate. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed…
more
to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via the router's web interface (/goform/ate) enables exploitation of public-facing applications (T1190), indirect command execution through web handlers (T1202), and abuse of network device command interpreters like iwpriv/ifconfig (T1059.008).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.