Tenda AC7 Routers Vulnerability Let Attackers Gain Root Shell With Malicious Payload

In the absence of an official patch, network administrators should consider implementing additional security measures, such as restricting access to the router’s management interface to trusted devices only. Attackers within the same network as a vulnerable router could potentially exploit this flaw to gain complete control over the device, intercept network traffic, or use the router as a launching point for attacks against other devices on the network. As connectivity becomes increasingly ubiquitous, manufacturers must prioritize security by implementing proper input validation, using memory-safe programming practices, and responding promptly to reported vulnerabilities. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A severe vulnerability in Tenda AC7 Routers running firmware version V15.03.06.44 allows malicious actors to execute arbitrary code and gain root shell access. The security flaw exists within the formSetFirewallCfg function of the Tenda AC7 router’s web management interface. Specifically, when the router processes firewall configuration data submitted through the web interface, it directly copies the user-supplied value into a fixed-size buffer using the strcpy function without performing appropriate boundary checks. This discovery highlights ongoing security challenges in consumer networking equipment and underscores the need for manufacturers to implement robust input validation mechanisms. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. This vulnerability has significant security implications for owners of Tenda AC7 routers. The flaw originates from a stack overflow vulnerability in the router’s formSetFirewallCfg function. The exploit consists of a Python script that sends a specially crafted HTTP POST request to the vulnerable router. More concerning, however, is that further refinement of the payload could allow attackers to maintain persistent access by establishing a root shell on the compromised device. She is covering various cyber security incidents happening in the Cyber Space. The script targets the “/goform/SetFirewallCfg” endpoint with an oversized “firewallEn” parameter, triggering the stack overflow condition.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 13 Mar 2025 10:25:08 +0000


Cyber News related to Tenda AC7 Routers Vulnerability Let Attackers Gain Root Shell With Malicious Payload

Tenda AC7 Routers Vulnerability Let Attackers Gain Root Shell With Malicious Payload - In the absence of an official patch, network administrators should consider implementing additional security measures, such as restricting access to the router’s management interface to trusted devices only. Attackers within the same network as ...
3 days ago Cybersecuritynews.com
DrayTek Routers at Risk From 14 New Vulnerabilities - The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, ...
5 months ago Darkreading.com CVE-2024-41592 CVE-2024-41585 CVE-2021-20123 CVE-2021-20124
Award-Winning Centralized Platform Helps Unlock Value Through Simplicity - Network operators need to cater to their customers by delivering services from anywhere between 1G to 100G speeds, while having the ability to aggregate into 400G networks. With the evolution of the network and emergence of more localized and ...
1 year ago Feedpress.me
Malware botnet bricked 600,000 routers in mysterious 2023 event - A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office internet routers offline, disrupting customers' internet access. According to researchers at Lumen's Black Lotus Labs, ...
9 months ago Bleepingcomputer.com
Malware botnet bricked 600,000 routers in mysterious 2023 attack - A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office internet routers offline, disrupting customers' internet access. According to researchers at Lumen's Black Lotus Labs, ...
9 months ago Bleepingcomputer.com
CVE-2024-36963 - In the Linux kernel, the following vulnerability has been resolved: ...
9 months ago
AWS Root vs IAM User: What to Know & When to Use Them - In Amazon Web Services, there are two different privileged accounts. One is defined as Root User and the other is defined as an IAM User. In this blog, I will break down the differences of an AWS Root User versus an IAM account, when to use one ...
2 years ago Beyondtrust.com
Remote Code Execution Vulnerabilities Discovered in TP-Link and Netcomm Routers - Latest research has uncovered alarming security vulnerabilities in popular TP-Link and Netcomm routers. The discovered vulnerabilities if exploited could potentially allow an attacker to gain unauthorized access to the routers and execute arbitrary ...
2 years ago Securityweek.com
Feds Disrupt Botnet Used by Russian APT28 Hackers - Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies. APT28, an ...
1 year ago Securityboulevard.com Fancy Bear APT28 Volt Typhoon
CVE-2023-23080 - Certain Tenda products are vulnerable to command injection. This affects Tenda CP7 Tenda CP7<V11.10.00.2211041403 and Tenda CP3 v.10 Tenda CP3 v.10<V20220906024_2025 and Tenda IT7-PCS Tenda IT7-PCS<V2209020914 and Tenda IT7-LCS Tenda ...
2 years ago
"Sierra:21" vulnerabilities impact critical infrastructure routers - A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks. The flaws ...
1 year ago Bleepingcomputer.com
Parrot TDS: A Persistent and Evolving Malware Campaign - Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server. To help the reader better understand Parrot TDS, this article provides in-depth analysis of the landing scripts and payload scripts we have ...
1 year ago Unit42.paloaltonetworks.com
New XCSSET Malware Attacking macOS Users With Enhanced Obfuscation - The malware utilizes three distinct persistence techniques, ensuring its payload launches whenever a new shell session begins, a user opens a fake Launchpad application, or a developer commits changes in Git. Microsoft recommends that users run the ...
4 days ago Cybersecuritynews.com
CVE-2025-21813 - In the Linux kernel, the following vulnerability has been resolved: ...
2 weeks ago
Security Series: Protecting the Edge Against DDoS Attacks with a Simplified Integrated Solution - An unprecedented increase in distributed-denial-of-service attacks in recent years has resulted in lost revenue and productivity, increased ransomware costs, and impacted service-level agreements for network operators. According to Zayo Group's ...
1 year ago Feedpress.me
FBI disrupts Moobot botnet used by Russian military hackers - The FBI took down a botnet of small office/home office routers used by Russia's Main Intelligence Directorate of the General Staff in spearphishing and credential theft attacks targeting the United States and its allies. This network of hundreds of ...
1 year ago Bleepingcomputer.com Fancy Bear APT28 Turla Volt Typhoon
Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw - Threat actors have unleashed a fresh wave of cyberattacks targeting a critical remote code-execution vulnerability in Apache ActiveMQ, for which the Apache Software Foundation issued a patch back in October. In many of the attacks, the adversary has ...
1 year ago Darkreading.com CVE-2023-46604
SIEM agent being used in SilentCryptoMiner attacks | Securelist - The most interesting action in this attack was the implementation of unusual techniques like using an SIEM agent as backdoor, adding the malicious payload to a legitimate digital signature, and hiding directories containing malicious files. The ...
5 months ago Securelist.com
ACM will no longer cross sign certificates with Starfield Class 2 starting August 2024 - AWS Certificate Manager is a managed service that you can use to provision, manage, and deploy public and private TLS certificates for use with Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, and other integrated AWS services. Starting ...
8 months ago Aws.amazon.com
14 New DrayTek routers' flaws impacts over 700,000 devices in 168 countries - Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. Multiple flaws in DrayTek ...
5 months ago Securityaffairs.com CVE-2024-45519 CVE-2024-29849 CVE-2024-41585
Botnet Struck U.S. Routers; Here's How to Keep Employees Safe - State-sponsored hackers affiliated with China have targeted small office/home office routers in the U.S. in a wide-ranging botnet attack, Federal Bureau of Investigation Director Christopher Wray announced on Wednesday, Jan. 31. Most of the affected ...
1 year ago Techrepublic.com Volt Typhoon
Cisco Routers Exposed to Remote Code Execution (RCE) Attacks: How to Protect Your Network - Protecting networks from remote code execution (RCE) attacks is now more important than ever, as thousands of end-of-life Cisco routers are exposed to these vulnerabilities. On June 10, 2020 research revealed that over 19,000 Cisco devices were still ...
2 years ago Bleepingcomputer.com
Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation - Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early ...
1 year ago Mandiant.com CVE-2023-46805 CVE-2024-21887
Previously unidentified botnet infects unpatched TP-Link Archer home routers | The Record from Recorded Future News - Cato Networks found some evidence that the threat actor involved deploys tools to potentially steal data from infected networks.The IP address tied to the threat actor is no longer responding, the researchers said, adding that they have found a new ...
5 days ago Therecord.media CVE-2023-1389
Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure - China-backed cyber espionage group Volt Typhoon is systematically targeting legacy Cisco devices in a sophisticated and stealthy campaign to grow its attack infrastructure. In many instances, the threat actor, known for targeting critical ...
1 year ago Darkreading.com Volt Typhoon

Latest Cyber News


Cyber Trends (last 7 days)