CVE-2022-41395 An AC1200 router with a command injection vulnerability was discovered. The vulnerable function is setDMZ.

A hacker could exploit this vulnerability to execute arbitrary script code in the affected system. In short, this results in remote code execution.

CVE-2018-7487 has been assigned to this vulnerability.

Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was also found to be vulnerable to another command injection issue.

CVE-2018-7488 has been assigned to this vulnerability.

A command injection vulnerability occurs when an attacker injects malicious commands into web-based user interfaces to take over the affected device.
An attacker could host a specially crafted website on a malicious server,straying the user to enter malicious code in the web-based user interface of an affected device.
Redirecting the user to a malicious website could trick the user into giving the hacker unnecessary permissions to the device.

Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to be vulnerable to a cross-site scripting issue.

CVE-2018-7489 has been assigned to this vulnerability.

Redirecting users to a malicious website could trick the user into giving the hacker unnecessary permissions to the device.
Redirecting users to a malicious website could trick the user into giving the hacker unnecessary permissions to the device.

Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576

Android-based router devices

There are also vulnerabilities in certain Android-based router devices, including Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576), which were discovered by Security Engineer Christopher Buddin from the company Tenable Network Security.
A command injection vulnerability occurs when an attacker injects malicious commands into web-based user interfaces to take over the affected device.
An attacker could host a specially crafted website on a malicious server,straying the user to enter malicious code in the web-based user interface of an affected device.
Redirecting the user to a malicious website could trick the user into giving the hacker unnecessary permissions to the device.

Timeline

Published on: 11/15/2022 03:15:00 UTC
Last modified on: 11/18/2022 21:34:00 UTC

References

• https://boschko.ca/tenda_ac1200_router
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41395