1 min read

Tenda Router Has Hardcoded Credentials and Other Dangerous Vulnerabilities

Silviu STAHIE

July 15, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Tenda Router Has Hardcoded Credentials and Other Dangerous Vulnerabilities

Researchers found quite a few major vulnerabilities in a popular Tenda router, including one that allowed attackers to log in as root. The device hasn’t been updated in a few years, and the company has yet to respond to notifications.

Security researchers at ISE Labs investigated the Tenda AC15 AC1900 Smart Dual-band Gigabit Wi-Fi router, and what they found is both worrying and predictable. Just last week, a Fraunhofer study looked at how often commercial routers are updated at some of the common vulnerabilities. They found that, on average, popular commercial routers haven’t received an update in the past year, and some for even longer.

The researchers who looked at the AC15 AC1900 noted that they tested the 15.03.05.19 version of the firmware and that Tenda hasn’t updated the firmware from 2017, but the 2019 firmware version is still available to download from Tenda’s US website.

“Our research efforts uncovered 5 CVEs with concerning ramifications for the firmware running on the Tenda AC15 AC1900,” said SanjanaSarda, a security analyst at ISE Labs. “It is worth mentioning that the exploitation of these vulnerabilities can be leveraged as part of a botnet to potentially attack external systems and other systems residing on the internal network,” she explained.

A few of the vulnerabilities are not that uncommon, including insufficient request validation, insufficient data validation and sanitation, and remote code execution. But the genuinely problematic stuff comes from hard-coded credentials, which can be used to gain access via an open Telnet port.

“Although the telnet daemon gives us root access to the router, we should be able to further exploit the vulnerabilities we have found so far to also start a persistent reverse shell on the device,” says Sarda.

All of these vulnerabilities would allow attackers to compromise the devices and cause a persistent denial of service condition. The vulnerabilities may extend to other devices in the same family, and since Tenda has yet to respond to the researchers, the vulnerabilities are still there and ready to be exploited.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Apple Patches New Zero-Day and Nasty Privacy Bug with iOS 15.3 and macOS 12.2 Apple Patches New Zero-Day and Nasty Privacy Bug with iOS 15.3 and macOS 12.2
Filip TRUȚĂ

January 27, 2022

2 min read
Microsoft Uncovers New SolarWinds Vulnerability While Analyzing Log4j Exploit Activity Microsoft Uncovers New SolarWinds Vulnerability While Analyzing Log4j Exploit Activity
Silviu STAHIE

January 26, 2022

1 min read
Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw
Filip TRUȚĂ

January 26, 2022

1 min read