A critical vulnerability has been identified in multiple Tenda products, allowing a remote, unauthenticated attacker to take complete control of an affected device. This flaw is a stack-based buffer overflow that can be triggered by a specially crafted web request, leading to arbitrary code execution. Due to its critical severity (CVSS 9.8) and the public availability of an exploit, this vulnerability poses a significant and immediate threat to network security.

This vulnerability is a stack-based buffer overflow within the HTTP Request Handler component of the device's firmware. Specifically, an unknown function processing requests to the /goform/onSSIDChange endpoint fails to properly validate the length of the ssid_index argument. A remote, unauthenticated attacker can send a crafted HTTP POST request with an overly long value for the ssid_index parameter, causing a buffer overflow on the stack, which can be leveraged to execute arbitrary code with the privileges of the web server process (typically root).

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected network device. An attacker could intercept sensitive network traffic, pivot to attack other systems on the internal network, use the device as part of a botnet for DDoS attacks, or completely disrupt network connectivity. The business risks include data breaches, significant operational downtime, reputational damage, and the potential for the compromised device to be used as a foothold for a larger network intrusion.

Immediate Action: Update all affected Tenda Multiple Products to the latest firmware version released by the vendor to patch this vulnerability. After patching, monitor for any signs of post-exploitation activity and review access logs for requests matching the attack pattern.

Proactive Monitoring: Security teams should monitor web server access logs on Tenda devices for anomalous POST requests to the /goform/onSSIDChange URI, particularly those with an unusually long ssid_index parameter. Monitor outbound network traffic from these devices for connections to unknown or malicious IP addresses. An Intrusion Detection System (IDS) or Web Application Firewall (WAF) can be configured with rules to detect and block exploit attempts.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Disable WAN (internet-facing) access to the device's web administration interface.
• If remote administration is required, restrict access to trusted IP addresses only using firewall rules.
• Deploy a Web Application Firewall (WAF) to inspect and block malicious requests targeting the vulnerable endpoint.
• Ensure the device is on a segmented network to limit an attacker's ability to pivot to more critical systems if the device is compromised.

Public Exploit Available: true

Given the critical severity (CVSS 9.8), remote exploitability without authentication, and the confirmed public availability of an exploit, this vulnerability requires immediate attention. We strongly recommend that all affected Tenda devices be patched on an emergency basis, prioritizing those that are internet-facing. If patching cannot be performed immediately, implement the recommended compensating controls, especially the restriction of WAN access to the management interface, to mitigate the immediate risk of compromise. Security teams should assume active exploitation is occurring and hunt for indicators of compromise within the network.