Details of VAR-202203-0590

ID

VAR-202203-0590

CVE

CVE-2022-25441

TITLE

Tenda AC9 Command Injection Vulnerability (CNVD-2022-26245)

Trust: 0.6

sources: CNVD: CNVD-2022-26245

DESCRIPTION

Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the vlanid parameter in the SetIPTVCfg function. The Tenda AC9 is a wireless router from the Chinese company Tenda. The vulnerability stems from the fact that the vlanid parameter in the SetIPTVCfg function fails to properly filter the special elements that construct the code segment

Trust: 1.44

sources: NVD: CVE-2022-25441 // CNVD: CNVD-2022-26245

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-26245

AFFECTED PRODUCTS

vendor:	tenda	model:	ac9	scope:	eq	version:	15.03.2.21	Trust: 1.0
vendor:	tenda	model:	ac9	scope:	eq	version:	v15.03.2.21	Trust: 0.6

sources: CNVD: CNVD-2022-26245 // NVD: CVE-2022-25441

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-25441
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2022-26245
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202203-1847
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2022-25441
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2022-26245
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-25441
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-26245 // CNNVD: CNNVD-202203-1847 // NVD: CVE-2022-25441

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2022-25441

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-1847

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202203-1847

PATCH

title:	Patch for Tenda AC9 Command Injection Vulnerability (CNVD-2022-26245)	url:	https://www.cnvd.org.cn/patchInfo/show/328711	Trust: 0.6
title:	Tenda AC9 Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=186928	Trust: 0.6

sources: CNVD: CNVD-2022-26245 // CNNVD: CNNVD-202203-1847

EXTERNAL IDS

db:	NVD	id:	CVE-2022-25441	Trust: 2.2
db:	CNVD	id:	CNVD-2022-26245	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-1847	Trust: 0.6

sources: CNVD: CNVD-2022-26245 // CNNVD: CNNVD-202203-1847 // NVD: CVE-2022-25441

REFERENCES

url:	https://github.com/ephaha/iot_vuln/tree/main/tenda/ac9/12	Trust: 2.2
url:	https://cxsecurity.com/cveshow/cve-2022-25441/	Trust: 0.6

sources: CNVD: CNVD-2022-26245 // CNNVD: CNNVD-202203-1847 // NVD: CVE-2022-25441

SOURCES

db:	CNVD	id:	CNVD-2022-26245
db:	CNNVD	id:	CNNVD-202203-1847
db:	NVD	id:	CVE-2022-25441

LAST UPDATE DATE

2024-11-23T22:47:29.716000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-26245	date:	2022-04-06T00:00:00
db:	CNNVD	id:	CNNVD-202203-1847	date:	2022-03-28T00:00:00
db:	NVD	id:	CVE-2022-25441	date:	2024-11-21T06:52:11.467

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-26245	date:	2022-04-06T00:00:00
db:	CNNVD	id:	CNNVD-202203-1847	date:	2022-03-18T00:00:00
db:	NVD	id:	CVE-2022-25441	date:	2022-03-18T21:15:08.323