CVE-2023-38933 in AC6
Summary
by MITRE • 08/07/2023
Tenda AC6 V2.0 V15.03.06.23, AC7 V1.0 V15.03.06.44, F1203 V2.0.1.6, AC5 V1.0 V15.03.06.28, FH1203 V2.0.1.6 and AC9 V3.0 V15.03.06.42_multi, and FH1205 V2.0.0.7(775) were discovered to contain a stack overflow via the deviceId parameter in the formSetClientState function.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/21/2026
The vulnerability identified as CVE-2023-38933 represents a critical stack overflow flaw affecting multiple Tenda wireless router models including AC6 V2.0, AC7 V1.0, F1203 V2.0.1.6, AC5 V1.0, FH1203 V2.0.1.6, AC9 V3.0, and FH1205 V2.0.0.7. This vulnerability manifests within the formSetClientState function where the deviceId parameter is processed without adequate input validation, creating a potential entry point for malicious exploitation. The affected devices operate on firmware versions ranging from V15.03.06.23 to V15.03.06.44, indicating this flaw exists across several generations of Tenda networking equipment. The stack overflow vulnerability occurs when an attacker crafts a specially malformed deviceId parameter that exceeds the allocated stack buffer space, leading to potential memory corruption and arbitrary code execution. This flaw falls under CWE-121 Stack-based Buffer Overflow, which is classified as a critical weakness in software security architecture. The vulnerability directly aligns with ATT&CK technique T1210 Exploitation of Remote Services, as it enables remote code execution through web interface manipulation.
The technical implementation of this vulnerability demonstrates a classic buffer overflow condition where the firmware fails to properly validate the length of the deviceId parameter before copying it to a fixed-size stack buffer. When the input exceeds the buffer capacity, adjacent memory locations become overwritten, potentially corrupting the stack frame and execution flow. Attackers can exploit this by sending a malicious HTTP request containing an oversized deviceId value to the router's web interface, which then processes this parameter through the vulnerable formSetClientState function. The impact extends beyond simple denial of service as the stack corruption can lead to complete system compromise, allowing attackers to execute arbitrary commands with the privileges of the web server process. This presents a significant risk to home and small office networks where these devices serve as primary gateways, potentially enabling attackers to establish persistent access, redirect traffic, or exfiltrate sensitive data. The vulnerability affects devices that are widely deployed in residential and commercial environments, making the potential impact substantial.
The operational consequences of this vulnerability are severe and multifaceted across various threat scenarios. Network administrators and end users face potential exposure to remote code execution attacks that could result in complete network compromise, as the attacker gains the ability to manipulate router configurations and potentially escalate privileges to full system control. The vulnerability's remote exploitability means that attackers do not require physical access to the devices, enabling large-scale attacks against unpatched networks. Organizations relying on these devices for network infrastructure may experience service disruption, data breaches, or unauthorized network access, particularly in environments where router management interfaces are exposed to external networks. The impact is further compounded by the fact that these devices are commonly configured with default credentials and may lack proper network segmentation, creating additional attack vectors. Security professionals should note that this vulnerability could be leveraged as part of broader attack campaigns targeting network infrastructure, potentially enabling attackers to establish backdoors or pivot to other network resources. The widespread deployment of affected Tenda models across different geographical regions and network types increases the attack surface significantly, making this vulnerability particularly dangerous in enterprise and critical infrastructure environments where network reliability and security are paramount.