CVE-2023-2649

Tenda AC23 Service Port 7329 ate command injection

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NVD
MITRE

A vulnerability was found in Tenda AC23 16.03.07.45_cn. It has been declared as critical. This vulnerability affects unknown code of the file /bin/ate of the component Service Port 7329. The manipulation of the argument v2 leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-228778 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

In Tenda AC23 16.03.07.45_cn wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /bin/ate der Komponente Service Port 7329. Dank der Manipulation des Arguments v2 mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

*Credits: dengxiquan

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Multiple

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-05-11 CVE Reserved
2023-05-11 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-10-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (2)

URL	Tag	Source
https://vuldb.com/?id.228778	Technical Description

URL	Date	SRC
https://github.com/xinzhihen06/ac23tenda/blob/main/tendaAC23.md	2024-08-02

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tenda Search vendor "Tenda"	Ac23 Firmware Search vendor "Tenda" for product "Ac23 Firmware"	16.03.07.45_cn Search vendor "Tenda" for product "Ac23 Firmware" and version "16.03.07.45_cn"	-	Affected	in	Tenda Search vendor "Tenda"	Ac23 Search vendor "Tenda" for product "Ac23"	-	-	Safe