A critical vulnerability has been identified in multiple Tenda networking products, carrying a CVSS score of 9.8. This flaw allows an unauthenticated attacker on the same network to execute arbitrary code and gain complete control over an affected device by sending a specially crafted request. Successful exploitation could lead to a full network compromise, data theft, and the use of the device in further attacks.

This vulnerability is a pre-authentication stack-based buffer overflow in the web management interface. It exists within the GetParentControlInfo function, which is accessible via the /goform/GetParentControlInfo endpoint. An unauthenticated attacker can send a crafted HTTP request with an overly long value in the mac argument. The application fails to properly validate the length of this input, leading to a buffer overflow on the stack, which can be leveraged to crash the device or, more severely, achieve remote code execution with root privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation by an unauthenticated attacker allows for a complete takeover of the affected networking device. This could lead to severe business disruption, including the interception and redirection of all network traffic, compromise of internal network segments, and data exfiltration. A compromised router can serve as a persistent pivot point for attackers to launch further attacks against other systems within the organization's network and can be co-opted into a botnet for use in external attacks like DDoS campaigns.

Immediate Action: Update all affected Tenda devices to the latest firmware version as recommended by the vendor. After patching, monitor for any signs of exploitation attempts by reviewing web access logs for suspicious activity targeting the vulnerable endpoint that may have occurred prior to the update.

Proactive Monitoring:

• Monitor web server logs for anomalous requests to the /goform/GetParentControlInfo endpoint, specifically looking for requests containing an abnormally long value in the mac parameter.
• Implement network intrusion detection system (NIDS) rules to detect and alert on traffic patterns indicative of this exploit.
• Monitor for any unexpected outbound connections originating from the Tenda devices, which could indicate a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, restrict access to the device's web management interface to a trusted and isolated management network.
• Implement firewall rules to block any external access to the device's management interface from the internet.
• If available, use a Web Application Firewall (WAF) to filter and block malicious requests targeting the /goform/GetParentControlInfo endpoint.

Public Exploit Available: false

Given the critical severity of this vulnerability, immediate action is required. All organizations using affected Tenda products must prioritize the deployment of vendor-supplied firmware updates to mitigate the risk of a full network compromise. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact and the widespread deployment of these devices make it a likely candidate for future inclusion. If patching cannot be performed immediately, the compensating controls listed above should be implemented as a matter of urgency to reduce the attack surface.