| Title | Tenda Tenda, Wireless N300 Easy setup Router Model F3, Firmware V603 (March 10, 2020) Improper Access Controls |
|---|
| Description | Improper access control in the UART debug interface of Tenda WiFi Repeater firmware V603 allows an attacker with physical access to perform arbitrary memory read and write operations.
The device exposes an unauthenticated CLI over UART that provides low-level commands such as "rr" (read memory) and "wr" (write memory). These commands allow direct access to arbitrary memory addresses without any restriction.
An attacker can use this capability to read sensitive data from memory, modify runtime structures, or corrupt system state, potentially leading to denial of service or undefined behavior.
The issue is caused by missing authentication and unrestricted access to privileged debug functionality.
Proof of Concept:
The UART debug interface is accessible at 115200 8N1. After boot, an unauthenticated CLI is available.
Example commands:
rr 0x807E0000
→ returns: 0x00000000
wr 0x807E0000 AABBCCDD
→ write succeeds
rr 0x807E0000
→ returns: 0xAABBCCDD
This confirms unrestricted read/write access to arbitrary memory.
Vendor is contacted and currently under 90 days disclosure window. |
|---|
| User | ZEssaidi (UID 96801) |
|---|
| Submission | 03/26/2026 00:15 (16 days ago) |
|---|
| Moderation | 04/09/2026 11:54 (14 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 242952 [D-Link DSL-2750U N300 ADSL2+/SL-2730U N150 ADSL2+ UART Interface access control] |
|---|
| Points | 0 |
|---|