CVE-2022-41396 in AC1200
Summary
by MITRE • 11/15/2022
Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain multiple command injection vulnerabilities in the function setIPsecTunnelList via the IPsecLocalNet and IPsecRemoteNet parameters.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2025
The CVE-2022-41396 vulnerability represents a critical command injection flaw affecting Tenda AC1200 routers running firmware version W15Ev2 V15.11.0.10(1576). This vulnerability resides within the setIPsecTunnelList function, which processes network tunnel configuration parameters. The flaw specifically impacts the IPsecLocalNet and IPsecRemoteNet parameters, which are used to define network address ranges for IPsec tunnel configurations. These parameters are processed without proper input sanitization, creating a pathway for malicious actors to inject arbitrary commands into the router's underlying operating system. The vulnerability demonstrates a classic lack of input validation and output encoding that violates fundamental security principles outlined in the CWE-77 standard for command injection vulnerabilities.
The technical exploitation of this vulnerability occurs through the manipulation of IPsec tunnel configuration parameters within the router's web interface or API endpoints. When an attacker submits malicious input containing shell metacharacters or command delimiters into either the IPsecLocalNet or IPsecRemoteNet fields, the router's processing function fails to properly sanitize the input before executing system commands. This allows attackers to execute arbitrary code with the privileges of the router's web server process, potentially gaining full administrative control over the device. The vulnerability's impact extends beyond simple command execution as it enables attackers to modify network configurations, redirect traffic, or establish persistent backdoors within the network infrastructure. According to the ATT&CK framework, this vulnerability maps to technique T1059.001 for command and script injection, and T1068 for exploit for privilege escalation.
The operational impact of CVE-2022-41396 is severe for network administrators and end users who rely on these routers for network security. Once exploited, attackers can gain complete control over the router's functionality, potentially leading to man-in-the-middle attacks, network traffic interception, or use of the compromised device as a pivot point for attacking other systems within the local network. The vulnerability affects not only the router's configuration capabilities but also its underlying operating system, which typically runs a Linux-based embedded system with standard Unix shell commands available for exploitation. Organizations using these routers in corporate or residential environments face significant risks including data exfiltration, network disruption, and potential lateral movement within their network infrastructure. The vulnerability's persistence is particularly concerning as it allows attackers to maintain access even after router reboots, especially if they implement persistent backdoor mechanisms during initial exploitation. Network security professionals should consider this vulnerability as a high-priority threat requiring immediate remediation, particularly in environments where network infrastructure security is paramount. The vulnerability also highlights the importance of secure coding practices and input validation in embedded systems, as outlined in various industry security standards and frameworks including those recommended by NIST and OWASP for embedded device security.