A critical remote code execution vulnerability has been identified in multiple Tenda networking products. The flaw allows a remote, unauthenticated attacker to take full control of an affected device by sending a specially crafted request, posing a severe risk to network security, data confidentiality, and availability. Since an exploit has been made public, the likelihood of attack is high.

This is a stack-based buffer overflow vulnerability within the HTTP Request Handler component of the device's firmware. An unauthenticated attacker can send a malicious HTTP POST request to the /goform/PPTPClient endpoint. By providing an overly long string in the netmsk parameter of this request, the attacker can overwrite the program's stack, leading to arbitrary code execution with the privileges of the device's web server, which is typically root.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation would result in a complete compromise of the affected Tenda device. An attacker could gain full administrative control, allowing them to intercept or redirect all network traffic, install persistent backdoors, launch attacks against other devices on the internal network, or incorporate the device into a botnet for use in larger-scale attacks like DDoS. This poses a significant risk to data confidentiality, operational integrity, and the security of the entire network connected to the device.

Immediate Action: Update affected Tenda products to the latest version. After applying the patch, it is crucial to monitor for any signs of prior exploitation and review system and access logs for any suspicious activity targeting the /goform/PPTPClient endpoint.

Proactive Monitoring: Security teams should monitor network traffic for HTTP requests to the /goform/PPTPClient URI, specifically inspecting for abnormally long values in the netmsk parameter. Monitor affected devices for unusual outbound connections, high CPU utilization, or unauthorized configuration changes, as these can be indicators of compromise.

Compensating Controls: If patching cannot be performed immediately, disable remote (WAN) access to the device's web administration interface. If remote administration is required, ensure it is only accessible through a secure VPN with multi-factor authentication. Consider implementing a Web Application Firewall (WAF) or intrusion prevention system (IPS) rules to block malicious requests targeting the vulnerable endpoint.

Public Exploit Available: true

Given the critical severity (CVSS 9.8), remote exploitability, and the confirmed availability of a public exploit, this vulnerability represents an immediate and severe threat. All organizations using affected Tenda products must prioritize the application of vendor-supplied patches immediately. Due to the high likelihood of active exploitation, this vulnerability should be treated as an active threat, and remediation efforts should be expedited to prevent device compromise and subsequent network intrusion.