CVE-2023-41563 in AC9
Summary
by MITRE • 08/30/2023
Tenda AC9 V3.0 V15.03.06.42_multi and Tenda AC5 US_AC5V1.0RTL_V15.03.06.28 were discovered to contain a stack overflow via parameter mac at url /goform/GetParentControlInfo.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/01/2026
This vulnerability resides within the Tenda AC9 router firmware versions V3.0 V15.03.06.42_multi and AC5 US_AC5V1.0RTL_V15.03.06.28, representing a critical stack overflow flaw that can be exploited through a specially crafted parameter named mac. The vulnerability manifests at the specific URL endpoint /goform/GetParentControlInfo, where the device fails to properly validate or sanitize input parameters before processing them. This particular stack overflow vulnerability falls under the CWE-121 category of stack-based buffer overflow, where insufficient bounds checking allows an attacker to overwrite adjacent memory locations on the stack. The affected device operates with a web-based management interface that accepts HTTP requests containing the mac parameter, which when improperly handled creates an exploitable condition.
The operational impact of this vulnerability extends beyond simple denial of service scenarios as it can potentially allow remote code execution on the affected devices. Attackers can craft malicious HTTP requests containing oversized mac parameter values that exceed the allocated stack buffer space, causing a stack overflow condition that may lead to arbitrary code execution with the privileges of the web server process. This represents a significant threat to network security since routers serve as core network infrastructure components, and compromise of these devices can lead to complete network takeover, data interception, or lateral movement within the network. The vulnerability is particularly concerning because it affects multiple firmware versions and device models, indicating a widespread issue in the manufacturer's codebase.
The attack vector for this vulnerability is straightforward and requires only an unauthenticated HTTP request to the vulnerable URL endpoint. The attacker needs to send a request to /goform/GetParentControlInfo with a maliciously crafted mac parameter that exceeds the buffer size, potentially causing a crash or allowing code execution. This vulnerability directly maps to ATT&CK technique T1210 - Exploitation of Remote Services, as it exploits a service running on the network infrastructure device. The lack of input validation and proper bounds checking creates an environment where attackers can manipulate the program flow and potentially gain unauthorized access to the device's operating system.
Mitigation strategies for this vulnerability should include immediate firmware updates from Tenda to address the stack overflow condition and implement proper input validation at the parameter level. Network administrators should also consider implementing network segmentation and access controls to limit exposure, while monitoring for suspicious traffic patterns that might indicate exploitation attempts. The vulnerability highlights the importance of secure coding practices and input validation in embedded systems, particularly in network infrastructure devices that are often deployed without regular security updates. Organizations should also implement network monitoring solutions that can detect anomalous behavior patterns consistent with exploitation attempts, including unusual HTTP request patterns targeting known vulnerable endpoints.