CVE-2022-45980 in AX12
Summary
by MITRE • 12/12/2022
Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via /goform/SysToolRestoreSet .
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/23/2025
The vulnerability identified as CVE-2022-45980 affects the Tenda AX12 wireless router model with firmware version V22.03.01.21_CN, representing a critical cross-site request forgery flaw that compromises the device's administrative security. This vulnerability resides within the web interface's administrative endpoint /goform/SysToolRestoreSet, which handles system restore functionality. The flaw allows unauthorized attackers to perform administrative actions on the device without proper authentication, exploiting the absence of proper CSRF protection mechanisms in the affected firmware.
The technical implementation of this vulnerability stems from the router's web application failing to validate the origin of requests made to the SysToolRestoreSet endpoint. This endpoint is designed to restore factory settings of the device, a highly privileged operation that should only be executable by authenticated administrators. However, the absence of anti-CSRF tokens or referer validation means that a malicious actor can craft a specially crafted web page or exploit that, when visited by an authenticated user, automatically submits a request to the router's administrative interface to restore system settings. This represents a classic CSRF attack vector where the attacker leverages the user's existing authenticated session to execute unauthorized administrative commands.
The operational impact of this vulnerability is significant as it allows an attacker to completely reset the router's configuration, potentially wiping out all network settings including Wi-Fi credentials, firewall rules, and administrative passwords. This could result in complete network disruption and provide attackers with persistent access to the network infrastructure. The vulnerability is particularly dangerous because it requires no special privileges or credentials to exploit, making it accessible to anyone who can convince a legitimate user to visit a malicious website. This scenario aligns with the CWE-352 weakness classification for Cross-Site Request Forgery, where the application fails to validate the origin of requests, and can be categorized under the ATT&CK technique T1566.002 for Phishing with Malicious Attachments or Links, as the exploitation typically occurs through social engineering.
Mitigation strategies for this vulnerability should focus on implementing proper CSRF protection mechanisms within the router's web interface. The device firmware must be updated to include anti-CSRF tokens that are validated on each request to privileged endpoints like SysToolRestoreSet. Additionally, the implementation should include referer header validation and origin checking to ensure that requests originate from the legitimate administrative interface. Network administrators should immediately update the firmware to the latest version provided by Tenda, as the manufacturer has likely released patches addressing this specific vulnerability. Organizations should also implement network monitoring to detect unusual administrative activities and consider network segmentation to limit the potential impact of such compromises. The vulnerability demonstrates the critical importance of implementing proper session management and request validation in network device web interfaces, as highlighted in industry best practices for secure web application development and the NIST Cybersecurity Framework's risk management guidelines.