CVE-2023-27013 in AC10info

Summary

by MITRE • 04/07/2023

Tenda AC10 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via the get_parentControl_list_Info function. This vulnerability allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via a crafted payload.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 11/14/2025

The vulnerability identified as CVE-2023-27013 represents a critical stack overflow flaw within the Tenda AC10 US_AC10V4.0si_V16.03.10.13_cn firmware implementation. This issue manifests specifically within the get_parentControl_list_Info function, which processes incoming data without adequate input validation or bounds checking mechanisms. The stack overflow vulnerability arises when maliciously crafted payloads are sent to the affected device, exploiting improper memory management practices that fail to validate the length or content of user-supplied data before processing.

The technical exploitation of this vulnerability occurs through the manipulation of the get_parentControl_list_Info function, which serves as an entry point for processing parent control list information within the router's web interface. When an attacker sends a specially crafted payload containing excessive data or malformed input parameters, the function fails to properly handle the input size, leading to stack memory corruption. This memory corruption can result in unpredictable program behavior, including application crashes, system instability, or complete device reboot cycles that constitute a denial of service condition.

From an operational perspective, this vulnerability presents significant risks to network security and availability. The ability to execute arbitrary code through this stack overflow means that attackers could potentially gain unauthorized access to the device's underlying operating system, allowing for complete compromise of the router's functionality. The denial of service aspect of this vulnerability could be exploited to disrupt network connectivity for extended periods, affecting all devices connected to the compromised network. The impact extends beyond individual device compromise as routers serve as critical network infrastructure components, making this vulnerability particularly dangerous in enterprise or residential gateway scenarios where network reliability is paramount.

The vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and represents a classic example of improper input validation in network device firmware implementations. From an attack framework perspective, this vulnerability maps to multiple ATT&CK techniques including T1210 - Exploitation of Remote Services and T1499 - Endpoint Detection and Response Evasion, as the exploitation could occur through web-based interfaces and potentially evade traditional network monitoring solutions. The attack surface is particularly concerning given that many router firmware implementations lack robust memory protection mechanisms such as stack canaries or address space layout randomization that would otherwise mitigate stack overflow exploitation.

Mitigation strategies for this vulnerability should prioritize immediate firmware updates from Tenda, as the manufacturer is likely to have released patches addressing this specific stack overflow condition. Network administrators should implement network segmentation and access controls to limit exposure of affected devices to untrusted networks, while also monitoring for suspicious traffic patterns that might indicate exploitation attempts. Additional protective measures include disabling unnecessary web interfaces, implementing network access control lists, and establishing regular firmware update policies to ensure all network devices maintain current security patches. The vulnerability also underscores the importance of secure coding practices in embedded systems and highlights the need for comprehensive security testing of firmware implementations before deployment in production environments.

Reservation

02/27/2023

Disclosure

04/07/2023

Moderation

accepted

CPE

ready

EPSS

0.01069

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!