CVE-2022-36552 Tenda AC6(AC1200) v5.0 Firmware v02.03.01.114 and below has a vulnerability in the component /cgi-bin/DownloadFlash which allows attackers to steal data such as source code and system files.

The affected component is present in the below firmware version of the Tenda AC6(AC1200) Router.

​ Firmware v02.03.01.114 and below

If you have upgraded your Router to v02.03.01.114 and if you haven’t, please be sure to upgrade as soon as possible to avoid any data loss.

After upgrading your Router, users are advised to do a factory reset to avoid any data loss.

After upgrading your Router, the system may ask you for your new WiFi password. You will be required to enter the password again.

If you have saved any files such as photos from your camera or videos from your camera in the system, you should backup your system before upgrading the Router.

If you saved any important files such as system configuration in the system, you should copy these files to another location to avoid any data loss.

After upgrading your Router, you should test the system to see if the issue has been resolved.

If you have any comments or concerns regarding this issue, you can reach us at the support email address given at the end of the advisory.

References:

- CVE-2022-36552
- Firmware v02.03.01.114 and below

The Tenda AC6(AC1200) Router's software has been found to contain a vulnerability that could be exploited by an attacker who is able to access the system via Wi-Fi, although this vulnerability would require more than a simple internet connection. The vulnerability exists in the Tenda AC6(AC1200) Router's Web UI, which contains several vulnerabilities that could be exploited by an attacker who is able to access the system over the Internet or via Wi-Fi to change settings or gain control of other systems connected to the router's interface. The following are details about this vulnerability:
1) A local privilege escalation vulnerability in Tenda AC6(AC1200) Router Web UI when user does not log in as admin
2) A remote code execution vulnerability via cross site scripting (XSS)
3) Sensitive information disclosure vulnerabilities that exist within the Web UI, including unencrypted firmware upgrade URL and FTP server credentials
4) Unauthenticated RCE from unauthenticated users leveraging incorrect authentication checks on SMB share connections

Symptoms

- When streaming movies and music, the sound may not be output at all or it may be distorted.
- When browsing a webpage, the tab does not move.
- When playing video games, images aren't displayed properly and cannot be saved to the system.
- The network interface may freeze.

Summary

Tenda AC6(AC1200) Router has been affected by a vulnerability - CVE-2022-36552. The affected component is present in the below firmware version of the Tenda AC6(AC1200) Router.

Firmware v02.03.01.114 and below

If you have upgraded your Router to v02.03.01.114 and if you haven’t, please be sure to upgrade as soon as possible to avoid any data loss. After upgrading your Router, users are advised to do a factory reset to avoid any data loss.
After upgrading your Router, the system may ask you for your new WiFi password. You will be required to enter the password again. If you have saved any files such as photos from your camera or videos from your camera in the system, you should backup your system before upgrading the Router. If you saved any important files such as system configuration in the system, you should copy these files to another location to avoid any data loss. After upgrading your Router, you should test the system to see if the issue has been resolved.

Timeline

Published on: 08/30/2022 16:15:00 UTC
Last modified on: 09/06/2022 18:43:00 UTC

References

• http://tenda.com
• https://drive.google.com/drive/folders/1VxR4lhaWNWLuAPdJK2aRF6zfo_mRyiFO?usp=sharing
• http://ac6ac1200.com
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36552