CVE-2024-10195 Overview
CVE-2024-10195 is a SQL injection vulnerability in the Tecno 4G Portable WiFi TR118 router running firmware version V008-20220830. The flaw resides in the /goform/goform_get_cmd_process endpoint within the SMS Check component. Attackers can manipulate the order_by parameter to inject arbitrary SQL statements. The issue is remotely exploitable over the network and requires high privileges to trigger. According to the disclosure, the vendor was contacted before public release but did not respond. The weakness is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can inject SQL through the order_by parameter of the SMS Check handler, potentially exposing or tampering with data stored on the device.
Affected Products
- Tecno 4G Portable WiFi TR118 hardware (cpe:2.3:h:tecno-mobile:4g_portable_wifi_tr118)
- Tecno 4G Portable WiFi TR118 firmware version V008-20220830
- Deployments exposing the device web management interface over reachable networks
Discovery Timeline
- 2024-10-20 - CVE-2024-10195 published to the National Vulnerability Database
- 2024-10-24 - Last updated in NVD database
Technical Details for CVE-2024-10195
Vulnerability Analysis
The Tecno TR118 web management interface exposes the /goform/goform_get_cmd_process handler, which serves several administrative commands including the SMS Check function. The handler accepts an order_by query parameter and concatenates it into a backend SQL statement without proper sanitization or parameterization. As a result, attackers who supply crafted SQL fragments in order_by alter the structure of the executed query.
Because the embedded database stores SMS records and configuration data, successful injection can disclose, modify, or delete those records. The vulnerability requires authenticated access to the device, which limits unauthenticated mass exploitation but does not prevent attacks from users with valid sessions or attackers who first obtain credentials.
Root Cause
The root cause is missing input neutralization in the goform_get_cmd_process request handler. The firmware builds SQL queries by concatenating user-controlled order_by input into the query string. No prepared statements, parameter binding, or allowlist validation are applied. This pattern matches [CWE-89] and is common in embedded goform web handlers used by ZTE-derived router firmware.
Attack Vector
The attacker sends an HTTP request to /goform/goform_get_cmd_process referencing the SMS Check action and supplies a malicious value in the order_by parameter. The injected SQL fragment is appended to the ORDER BY clause of the backing query. Attackers can leverage UNION-based or boolean-based techniques to read arbitrary table contents, including stored SMS messages and account data. A proof-of-concept session recording is referenced in the Asciinema Recording and in VulDB entry #280969.
No verified exploit code is published in a public exploit database, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of writing.
Detection Methods for CVE-2024-10195
Indicators of Compromise
- HTTP requests to /goform/goform_get_cmd_process containing SQL meta-characters such as single quotes, UNION, SELECT, SLEEP(, or comment sequences inside the order_by parameter.
- Unusual administrative sessions on the TR118 web interface originating from untrusted source addresses.
- Outbound DNS or HTTP callbacks from the router shortly after access to the SMS Check page, which may indicate out-of-band SQL injection.
Detection Strategies
- Inspect web server logs on the device, or upstream proxies, for requests to /goform/goform_get_cmd_process with non-alphanumeric values in order_by.
- Deploy network IDS signatures that match SQL injection payload patterns against the TR118 management URL.
- Correlate authentication events with subsequent SMS Check requests to identify abuse of valid credentials.
Monitoring Recommendations
- Forward router and gateway HTTP logs to a centralized analytics platform for retention and query.
- Alert on repeated 200-status responses to /goform/goform_get_cmd_process with anomalous query strings.
- Monitor for credential stuffing or brute force activity against the TR118 web UI that could precede authenticated exploitation.
How to Mitigate CVE-2024-10195
Immediate Actions Required
- Restrict access to the TR118 web management interface to trusted management networks only, and never expose it to the public internet.
- Change the default administrator password and enforce strong, unique credentials to raise the bar for the required privileged access.
- Disable the SMS Check feature where not in use to reduce the reachable attack surface.
Patch Information
No vendor patch or advisory has been published for CVE-2024-10195. The disclosure notes that the vendor was contacted but did not respond. Operators should track the VulDB entry for updates and contact Tecno Mobile directly to request remediation.
Workarounds
- Place the device behind a firewall that blocks inbound access to TCP ports used by the web management interface.
- Use ACLs on the router to limit administrative access to a single management workstation.
- Replace the device with a supported alternative if Tecno does not provide a fix within an acceptable risk window.
# Example: block external access to the TR118 web UI on an upstream firewall
iptables -A FORWARD -p tcp -d <TR118_IP> --dport 80 -m iprange ! --src-range 10.0.0.10-10.0.0.20 -j DROP
iptables -A FORWARD -p tcp -d <TR118_IP> --dport 443 -m iprange ! --src-range 10.0.0.10-10.0.0.20 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
