CVE-2024-10697

A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument mac leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/theRaz0r/iot-mycve/blob/main/tenda_ac6_rce_WriteFacMac/tenda_ac6_rce_WriteFacMac.md	Exploit Third Party Advisory
https://vuldb.com/?ctiid.282865	Permissions Required Third Party Advisory
https://vuldb.com/?id.282865	Permissions Required Third Party Advisory
https://vuldb.com/?submit.434934	Third Party Advisory
https://www.tenda.com.cn/	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tenda:ac6_firmware:15.03.05.19:*:*:*:*:*:*:*

cpe:2.3:h:tenda:ac6:-:*:*:*:*:*:*:*

History

05 Apr 2025, 07:15

Type	Values Removed	Values Added
CWE		CWE-74
Summary	A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument The leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.	A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument mac leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

04 Nov 2024, 14:18

Type	Values Removed	Values Added
First Time		Tenda ac6 Tenda ac6 Firmware Tenda
CPE		cpe:2.3:o:tenda:ac6_firmware:15.03.05.19:::::::* cpe:2.3:h:tenda:ac6:-:::::::*
CWE		CWE-77
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://vuldb.com/?ctiid.282865 -~~	() https://vuldb.com/?ctiid.282865 - Permissions Required, Third Party Advisory
References	~~() https://www.tenda.com.cn/ -~~	() https://www.tenda.com.cn/ - Product
References	~~() https://vuldb.com/?id.282865 -~~	() https://vuldb.com/?id.282865 - Permissions Required, Third Party Advisory
References	~~() https://github.com/theRaz0r/iot-mycve/blob/main/tenda_ac6_rce_WriteFacMac/tenda_ac6_rce_WriteFacMac.md -~~	() https://github.com/theRaz0r/iot-mycve/blob/main/tenda_ac6_rce_WriteFacMac/tenda_ac6_rce_WriteFacMac.md - Exploit, Third Party Advisory
References	~~() https://vuldb.com/?submit.434934 -~~	() https://vuldb.com/?submit.434934 - Third Party Advisory

02 Nov 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-02 12:15

Updated : 2025-04-05 07:15

NVD link : CVE-2024-10697

Mitre link : CVE-2024-10697

JSON object : View

Products Affected

tenda

ac6_firmware
ac6

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

9.8 /10