#VU97462 Out-of-bounds write in AC15 - CVE-2024-0533

Cybersecurity Help s.r.o.

Published: 2024-09-18

Vulnerability identifier: #VU97462

Vulnerability risk: Low

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-0533

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
AC15
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: Shenzhen Tenda Technology Co.,Ltd.

Description

The vulnerability allows a remote privileged user to compromise vulnerable system.

The vulnerability exists in the file /goform/SetOnlineDevName of the component Web-based Management Interface. A remote privileged user can send a specially crafted file, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

AC15: before 15.13.07.13

External links
https://vuldb.com/?id.250703
https://vuldb.com/?ctiid.250703
https://github.com/yaoyue123/iot/blob/main/Tenda/A15/SetOnlineDevName.devname.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM MQ Appliance

Out-of-bounds write in Tenda A15