CVE-2023-24212 in AX3info

Summary

by MITRE • 02/24/2023

Tenda AX3 V16.03.12.11 was discovered to contain a stack overflow via the timeType function at /goform/SetSysTimeCfg.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/20/2025

The vulnerability identified as CVE-2023-24212 affects the Tenda AX3 wireless router firmware version V16.03.12.11, presenting a critical stack overflow condition that can be exploited through the timeType function within the /goform/SetSysTimeCfg endpoint. This issue represents a fundamental flaw in the router's input validation mechanisms, where untrusted data from network requests is processed without proper bounds checking, creating an exploitable condition that could allow remote attackers to execute arbitrary code on the affected device.

The technical implementation of this vulnerability stems from improper handling of user-supplied parameters within the SetSysTimeCfg form handler, specifically within the timeType function that processes system time configuration requests. When an attacker sends a malformed request containing excessive data to the timeType parameter, the application fails to validate the input length before copying it into a fixed-size stack buffer. This classic buffer overflow scenario enables attackers to overwrite adjacent stack memory locations, potentially corrupting program execution flow and allowing for code injection attacks that could lead to complete system compromise.

From an operational perspective, this vulnerability poses significant risks to network security as it allows remote code execution without authentication requirements, making it particularly dangerous in enterprise environments where such devices are commonly deployed. The attack surface extends beyond simple exploitation to include potential privilege escalation and persistent backdoor establishment, as demonstrated by the ATT&CK framework's techniques for code injection and privilege escalation. The vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and represents a critical weakness in the device's defensive architecture that could enable attackers to gain full administrative control over the network infrastructure.

The impact of this vulnerability extends to multiple security domains including network availability, data integrity, and confidentiality, as compromised routers can serve as entry points for broader network infiltration. Organizations utilizing affected Tenda AX3 devices should immediately implement network segmentation measures and consider disabling unnecessary services until firmware updates are deployed. Mitigation strategies should include network monitoring for suspicious traffic patterns targeting the vulnerable endpoint, implementing firewall rules to restrict access to the affected form handler, and applying vendor-provided security patches as soon as they become available. The vulnerability also highlights the importance of secure coding practices and input validation as outlined in industry standards such as the OWASP Top Ten and NIST cybersecurity frameworks, emphasizing the need for comprehensive security testing throughout the software development lifecycle to prevent similar issues in future firmware releases.

Reservation

01/23/2023

Disclosure

02/24/2023

Moderation

accepted

CPE

ready

EPSS

0.01056

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!