CVE-2024-0923 Overview
CVE-2024-0923 is a stack-based buffer overflow [CWE-121] in the Tenda AC10U wireless router running firmware version 15.03.06.49_multi_TDE01. The flaw resides in the formSetDeviceName function, where the devName argument is copied into a fixed-size stack buffer without proper bounds checking. An unauthenticated attacker can reach the function over the network and corrupt the stack to hijack control flow. The vulnerability was assigned VulDB identifier VDB-252128 and exploit details have been published. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
Remote, unauthenticated attackers can overflow the device name parameter to execute arbitrary code on affected Tenda AC10U routers, compromising confidentiality, integrity, and availability.
Affected Products
- Tenda AC10U router (hardware version 1.0)
- Tenda AC10U firmware 15.03.06.49_multi_TDE01
- Deployments exposing the router web management interface to untrusted networks
Discovery Timeline
- 2024-01-26 - CVE-2024-0923 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in the NVD database
Technical Details for CVE-2024-0923
Vulnerability Analysis
The Tenda AC10U exposes a web-based administration interface that processes form submissions through a CGI-like handler. The formSetDeviceName handler receives a devName parameter from the HTTP request body and writes it into a stack-allocated buffer. The function does not validate the length of the supplied value before performing the copy.
When an attacker submits an overly long devName value, the write extends past the buffer boundary and corrupts adjacent stack data, including the saved return address. By controlling the overwritten return address, the attacker can redirect execution to attacker-supplied or ROP-chained code. Because the device runs the web server with elevated privileges, successful exploitation yields full control of the router.
Full technical reproduction steps are documented in the GitHub IoT research notes and the VulDB entry #252128.
Root Cause
The root cause is missing input length validation in formSetDeviceName. The handler trusts the attacker-controlled devName parameter and performs an unchecked string copy into a fixed-size stack buffer. The firmware is also built without modern exploit mitigations on the affected binary, which simplifies reliable exploitation of the corrupted return address.
Attack Vector
Exploitation requires only network access to the router web interface. No authentication, user interaction, or local access is needed. An attacker on the LAN, or on the WAN where the management interface is exposed, sends a crafted HTTP POST request to the endpoint backed by formSetDeviceName with an oversized devName value. The request triggers the overflow and can pivot to remote code execution as the web server process.
// No verified exploit code is published in this article.
// Refer to the public VulDB entry and the linked GitHub writeup for
// proof-of-concept request details and offset analysis.
Detection Methods for CVE-2024-0923
Indicators of Compromise
- HTTP POST requests to the router management interface containing abnormally long devName values, frequently exceeding several hundred bytes.
- Unexpected reboots, crashes, or watchdog resets on the AC10U coinciding with management-interface traffic.
- Outbound connections from the router to unknown hosts following inbound requests to formSetDeviceName.
- New or modified DNS, DHCP, or routing configuration on the device without administrative action.
Detection Strategies
- Inspect web server and HTTP proxy logs for POST bodies referencing devName with payload sizes inconsistent with legitimate device naming.
- Apply network intrusion detection signatures that flag oversized form parameters destined for Tenda router management URIs.
- Compare router firmware version, configuration, and running services against a known-good baseline to detect tampering.
Monitoring Recommendations
- Restrict and monitor administrative access to the router from management VLANs only, and alert on any other source addresses.
- Capture and review router syslog output centrally for crash traces and unexpected process restarts.
- Track outbound traffic from the router itself, since a compromised router commonly initiates connections to attacker infrastructure.
How to Mitigate CVE-2024-0923
Immediate Actions Required
- Disable remote (WAN-side) administration on the Tenda AC10U and confirm the management interface is not reachable from the internet.
- Limit LAN access to the router web UI to a dedicated management host or subnet using firewall rules.
- Change administrative credentials and audit configuration for unauthorized changes such as DNS overrides or port forwards.
Patch Information
No vendor patch is referenced in the NVD entry for CVE-2024-0923. The disclosure record states that Tenda was contacted but did not respond. Organizations operating affected AC10U devices should monitor the Tenda support portal for firmware updates and consider replacing the device with a supported model if no fix is released.
Workarounds
- Place the AC10U behind an upstream firewall and block inbound access to TCP ports used by the management interface from untrusted networks.
- Segment the router onto an isolated network so that a compromise does not provide lateral access to sensitive systems.
- Replace the affected hardware with a vendor-supported router if Tenda does not publish a patched firmware build.
# Example: block external access to the AC10U management interface
# from an upstream Linux gateway (adjust interface and router IP)
iptables -A FORWARD -i eth0 -d 192.0.2.1 -p tcp --dport 80 -j DROP
iptables -A FORWARD -i eth0 -d 192.0.2.1 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

