CVE-2024-10697: Tenda AC6 Firmware RCE Vulnerability

CVE-2024-10697 Overview

CVE-2024-10697 is a command injection vulnerability in the Tenda AC6 wireless router running firmware version 15.03.05.19. The flaw resides in the formWriteFacMac function handling requests to the /goform/WriteFacMac API endpoint. An attacker can manipulate the mac argument to inject arbitrary operating system commands. The vulnerability is exploitable remotely over the network and a public proof-of-concept has been disclosed.

Critical Impact

Remote attackers can inject arbitrary commands through the mac parameter and execute them on the router, potentially gaining persistent control over the device and the network it serves.

Affected Products

• Tenda AC6 router (hardware)
• Tenda AC6 firmware version 15.03.05.19
• API endpoint /goform/WriteFacMac exposing the formWriteFacMac handler

Discovery Timeline

• 2024-11-02 - CVE-2024-10697 published to NVD
• 2025-04-05 - Last updated in NVD database

Technical Details for CVE-2024-10697

Vulnerability Analysis

The vulnerability is a command injection flaw [CWE-77] rooted in improper neutralization of special elements used in a command [CWE-74]. The formWriteFacMac handler processes HTTP requests submitted to /goform/WriteFacMac and consumes the mac parameter without sanitizing shell metacharacters. The parameter value is passed into a system command invocation on the underlying Linux-based router OS.

Because the router exposes the affected endpoint through its web management interface, an attacker who can reach the device over the network can deliver a crafted request. Successful exploitation yields command execution under the privileges of the web server process, which on consumer SOHO routers is typically root. A compromised router enables traffic interception, DNS hijacking, lateral movement into the LAN, and recruitment into botnets.

Root Cause

The root cause is the absence of input validation and output encoding on the mac argument before it is concatenated into a shell command. Tenda's firmware passes the attacker-controlled string into a function such as system() or popen() without escaping characters like ;, &, |, or backticks.

Attack Vector

The attack vector is network-based and requires low privileges. An attacker sends an HTTP POST request to /goform/WriteFacMac containing a mac value that includes shell separators followed by the desired command. The injected payload executes on the device immediately. Refer to the GitHub PoC Repository for technical reproduction details.

No synthetic exploit code is reproduced here. Practitioners can review the public write-up linked above for the exact request structure used in the disclosed proof-of-concept.

Detection Methods for CVE-2024-10697

Indicators of Compromise

• HTTP requests to the /goform/WriteFacMac endpoint containing shell metacharacters (;, |, &, `, $()) inside the mac parameter.
• Unexpected outbound connections originating from the router's management IP, particularly to unknown command-and-control hosts.
• Modified DNS, NTP, or firewall configuration on the AC6 device that was not initiated by an administrator.
• New processes or cron entries on the router that reference downloaded binaries from wget or curl operations.

Detection Strategies

• Inspect web access logs on the router or any upstream proxy for POST requests targeting /goform/WriteFacMac from non-administrative source addresses.
• Apply network IDS signatures that flag mac= parameter values containing characters outside the MAC address character set (0-9, A-F, :, -).
• Correlate router management plane traffic with EPSS-prioritized vulnerability data; this CVE carries an EPSS probability of 83.113%, indicating active interest in exploitation.

Monitoring Recommendations

• Forward router syslog and management interface logs to a centralized SIEM for retention and correlation.
• Alert on any administrative API calls originating from the WAN interface, which should be disabled by default.
• Baseline outbound traffic from the router itself and alert on deviations such as connections to non-standard ports or IRC-style protocols associated with IoT botnets.

How to Mitigate CVE-2024-10697

Immediate Actions Required

• Disable remote (WAN-side) management on the Tenda AC6 immediately to reduce the attack surface.
• Restrict access to the router's LAN-side management interface using ACLs or a separate management VLAN.
• Audit the router for unauthorized configuration changes, new accounts, or unexpected firmware modifications.
• Rotate any credentials that may have been exposed through the device, including Wi-Fi PSKs and admin passwords.

Patch Information

As of the last NVD update on 2025-04-05, no vendor patch has been published for firmware version 15.03.05.19 of the Tenda AC6. Monitor the Tenda Official Website for firmware updates addressing this issue. Where no patch is available, organizations should plan device replacement or strict network isolation.

Workarounds

• Place the AC6 behind an upstream firewall and block inbound access to TCP ports used by the management web interface.
• Segment the router onto an isolated network so a compromise cannot pivot to sensitive internal assets.
• Replace the affected device with hardware that receives current security maintenance if no firmware fix is released.
• Deploy a web application firewall or intrusion prevention rule that drops requests to /goform/WriteFacMac containing non-hex characters in the mac parameter.

# Example iptables rule restricting management access to a trusted admin host
iptables -A INPUT -p tcp --dport 80 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP