Skip to main content
CVE Vulnerability Database

CVE-2024-0926: Tenda AC10U Buffer Overflow Vulnerability

CVE-2024-0926 is a critical stack-based buffer overflow in Tenda AC10U firmware affecting the formWifiWpsOOB function. Attackers can exploit this remotely to compromise devices. This article covers technical details, affected versions, impact analysis, and mitigation strategies.

Updated:

CVE-2024-0926 Overview

CVE-2024-0926 is a stack-based buffer overflow vulnerability in the Tenda AC10U wireless router running firmware version 15.03.06.49_multi_TDE01. The flaw resides in the formWifiWpsOOB function, where the index argument is processed without proper bounds checking. An unauthenticated remote attacker can manipulate this parameter to corrupt the stack, leading to denial of service or arbitrary code execution on the device. The exploit details have been publicly disclosed under VulDB identifier VDB-252131. Tenda was contacted prior to disclosure but did not respond, leaving deployed devices exposed without a vendor patch.

Critical Impact

Unauthenticated remote attackers can trigger a stack-based buffer overflow [CWE-121] in the Tenda AC10U router, potentially achieving full device compromise over the network.

Affected Products

  • Tenda AC10U router (hardware version 1.0)
  • Tenda AC10U firmware 15.03.06.49_multi_TDE01
  • Devices exposing the formWifiWpsOOB web management endpoint

Discovery Timeline

  • 2024-01-26 - CVE-2024-0926 published to NVD with VulDB identifier VDB-252131
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-0926

Vulnerability Analysis

The vulnerability exists in the formWifiWpsOOB handler within the Tenda AC10U web management interface. This function processes Wi-Fi Protected Setup (WPS) Out-Of-Band configuration requests submitted through the router's HTTP server. The handler reads an index parameter supplied by the client and copies it into a fixed-size stack buffer without validating its length.

Attackers reach the vulnerable code path over the network without authentication. The router's web server runs with elevated privileges, so successful exploitation grants control over networking, firewall, and packet routing functions. The Common Weakness Enumeration classifies this defect as [CWE-121] Stack-Based Buffer Overflow.

Public technical analysis of the flaw is available in the GitHub OOB Exploit Documentation and the VulDB entry #252131.

Root Cause

The root cause is missing input validation on the index argument before it is written to a stack-allocated buffer. The handler trusts the attacker-controlled length, allowing data to overflow the buffer boundary and overwrite adjacent stack frames, including the saved return address. MIPS-based Tenda firmware historically lacks stack canaries and consistent address space layout randomization, which simplifies reliable exploitation.

Attack Vector

Exploitation requires only network reachability to the router's HTTP management interface. The attacker sends a crafted POST request to the formWifiWpsOOB endpoint containing an oversized index parameter. No credentials, user interaction, or prior foothold are required. When the router is exposed to the WAN or shared across an untrusted LAN, remote attackers can chain the overflow into arbitrary code execution with root privileges on the embedded Linux system.

No verified proof-of-concept code is reproduced here. The vulnerability mechanism is documented in the references above, which describe the unchecked index parameter copy in formWifiWpsOOB.

Detection Methods for CVE-2024-0926

Indicators of Compromise

  • HTTP POST requests to the router targeting URI paths containing formWifiWpsOOB with abnormally long index parameter values
  • Unexpected reboots, watchdog resets, or httpd process crashes on the Tenda AC10U
  • Outbound connections from the router to unknown external hosts following inbound WPS configuration requests
  • New or modified firewall, DNS, or routing rules that were not applied by an administrator

Detection Strategies

  • Inspect web server access logs for requests to formWifiWpsOOB containing parameter values exceeding typical lengths (a few bytes)
  • Deploy network intrusion detection signatures that flag oversized POST bodies directed at Tenda management endpoints
  • Monitor for HTTP requests to router management interfaces originating from non-administrative network segments

Monitoring Recommendations

  • Forward router syslog and HTTP access logs to a centralized analytics platform for length-based anomaly detection on management endpoints
  • Alert on DNS resolution changes pushed by the router to client devices, which often indicate post-exploitation tampering
  • Track repeated 5xx responses or service restarts on the embedded HTTP server as signs of overflow attempts

How to Mitigate CVE-2024-0926

Immediate Actions Required

  • Remove the Tenda AC10U management interface from any WAN-facing exposure and restrict it to a trusted management VLAN
  • Block inbound traffic to TCP ports 80 and 443 of the router from untrusted networks at an upstream firewall
  • Disable WPS functionality on the router if not required, reducing the attack surface around formWifiWpsOOB
  • Inventory deployed Tenda AC10U devices on firmware 15.03.06.49_multi_TDE01 and prioritize replacement or isolation

Patch Information

No vendor patch is available. According to the NVD entry, Tenda was contacted before disclosure but did not respond. Organizations operating affected devices should plan migration to actively supported router platforms, since the vendor has not published fixed firmware for 15.03.06.49_multi_TDE01.

Workarounds

  • Place the AC10U behind a network firewall that drops inbound HTTP and HTTPS requests to the device from untrusted sources
  • Apply ACLs to permit router administration only from specific management workstations
  • Segment IoT and consumer-grade routers onto isolated VLANs that cannot reach sensitive corporate assets
  • Replace end-of-support devices with hardware from vendors providing active security maintenance
bash
# Example upstream firewall rules to block external access to the router management interface
# Replace ROUTER_IP and MGMT_SUBNET with your environment values
iptables -A FORWARD -p tcp -d ROUTER_IP --dport 80  -s MGMT_SUBNET -j ACCEPT
iptables -A FORWARD -p tcp -d ROUTER_IP --dport 443 -s MGMT_SUBNET -j ACCEPT
iptables -A FORWARD -p tcp -d ROUTER_IP --dport 80  -j DROP
iptables -A FORWARD -p tcp -d ROUTER_IP --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.