CVE-2024-34974 Overview
CVE-2024-34974 is a buffer overflow vulnerability in the Tenda AC18 wireless router running firmware version 15.03.05.19. The flaw resides in the formSetPPTPServer function and is triggered through the endIp parameter. Remote attackers can send crafted HTTP requests to the router's web management interface to corrupt memory. Successful exploitation can crash the device or influence integrity of router operations. The weakness is classified under [CWE-125] (Out-of-bounds Read), affecting the device's PPTP server configuration handler.
Critical Impact
Unauthenticated network attackers can trigger out-of-bounds memory access in the Tenda AC18 router, leading to denial of service and potential integrity loss on affected devices.
Affected Products
- Tenda AC18 router (hardware)
- Tenda AC18 firmware version 15.03.05.19
- Devices exposing the PPTP server configuration endpoint to untrusted networks
Discovery Timeline
- 2024-05-14 - CVE-2024-34974 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-34974
Vulnerability Analysis
The vulnerability exists in the formSetPPTPServer handler within the Tenda AC18 web management interface. This handler processes configuration requests for the router's Point-to-Point Tunneling Protocol (PPTP) server. The handler reads the endIp parameter from incoming HTTP form data without performing adequate bounds validation. Attackers can supply oversized or malformed input to trigger an out-of-bounds memory access condition.
The attack requires no authentication and can be launched remotely against any reachable management interface. The flaw primarily impacts availability, with secondary integrity implications on the running router process.
Root Cause
The root cause is improper validation of user-controlled input passed to the endIp parameter inside formSetPPTPServer. The function copies or processes attacker-supplied data into a fixed-size buffer or reads past allocated memory boundaries. The absence of length checks on the endIp field allows memory corruption when crafted input exceeds expected dimensions, consistent with [CWE-125].
Attack Vector
Exploitation proceeds over the network through the router's HTTP-based configuration interface. An attacker submits a POST request to the PPTP server configuration endpoint with a malformed endIp value. The web server passes the value to formSetPPTPServer, where the boundary violation occurs. The EPSS score for this vulnerability is approximately 0.724%, indicating limited but non-trivial real-world exploitation interest. A public proof of concept is available in the GitHub PoC Repository.
The vulnerability manifests when the PPTP configuration handler processes the endIp field. See the linked PoC repository for request structure and reproduction steps.
Detection Methods for CVE-2024-34974
Indicators of Compromise
- Unexpected reboots or crashes of the Tenda AC18 device following inbound HTTP requests
- HTTP POST requests targeting the PPTP server configuration endpoint from untrusted sources
- Anomalous values in the endIp parameter that exceed normal IPv4 address length
- Loss of management interface availability without administrator action
Detection Strategies
- Inspect HTTP traffic destined for the router's management interface for malformed endIp parameters
- Alert on POST requests targeting formSetPPTPServer from outside management networks
- Correlate device unavailability events with preceding HTTP requests in network telemetry
- Baseline router uptime and surface deviations through network monitoring platforms
Monitoring Recommendations
- Forward router syslog and SNMP traps to a centralized logging platform for analysis
- Restrict network paths to the router management interface and log all access attempts
- Monitor for repeated connection attempts to TCP port 80 or 443 on the router from external addresses
- Track firmware version inventory to identify devices still running 15.03.05.19
How to Mitigate CVE-2024-34974
Immediate Actions Required
- Disable remote WAN-side management on all Tenda AC18 devices
- Restrict LAN-side management access to a dedicated administrative VLAN
- Disable the PPTP server feature if it is not required for operations
- Inventory all Tenda AC18 deployments and confirm firmware versions
Patch Information
No vendor advisory or patched firmware release has been published in the referenced data. Operators should monitor the Tenda support portal for firmware updates addressing formSetPPTPServer. Until a fix is available, apply network-level controls to prevent exposure of the management interface.
Workarounds
- Block external access to the router's HTTP and HTTPS management ports at upstream firewalls
- Disable PPTP server functionality through the router configuration interface
- Place vulnerable devices behind a network segment that filters untrusted traffic to management ports
- Replace end-of-life or unpatched Tenda AC18 hardware with supported alternatives where feasible
# Example: block external access to router management ports on an upstream firewall
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP
# Disable PPTP passthrough if not required
iptables -A FORWARD -p tcp --dport 1723 -j DROP
iptables -A FORWARD -p gre -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

