Unauthenticated attackers can trigger a critical buffer overflow on Tenda W20E V4 routers to achieve remote code execution by sending specifically crafted DHCP rule data.

The vulnerability exists in the addDhcpRule function, where the system fails to validate the length of inputs for dhcpsIndex, dhcpsIP, and dhcpsMac. An unauthenticated attacker can provide overly long strings that overflow the allocated buffers during the sscanf operation.

The CVSS score of 9.8 reflects the severity of this flaw, which allows for complete system compromise without user interaction. An attacker could intercept network traffic, redirect users to malicious sites, or use the compromised router as a jump host for internal lateral movement. This poses a direct threat to the organization's primary network infrastructure.

Immediate Action: Apply the latest firmware update from Tenda specifically addressing the DHCP rule processing logic.

Proactive Monitoring: Monitor network traffic for malformed HTTP POST requests directed at the router's management endpoints.

Compensating Controls: Implement network segmentation to ensure that compromised IoT or networking devices cannot communicate with sensitive internal servers.

Public Exploit Available: false

The ability to execute code remotely on a core networking device necessitates immediate remediation. Administrators must prioritize the installation of patched firmware and verify that all internet-facing management services are disabled to minimize the attack surface.