CVE-2023-27240
published 2023-03-15CVE-2023-27240: Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip.
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.77%
84.5th percentile
Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tenda | ax3_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda AX3 Command Injection Attempt (CVE-2023-27240)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/goform/AdvSetLanip"; fast_pattern; http.request_body; content:"lanIp|3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; reference:cve,2023-27240; classtype:attempted-admin; sid:2057253; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_05, cve CVE_2023_27240, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic is HTTP POST only; filter on method POST to /goform/AdvSetLanip (exact URI length 19 bytes)
- →Request body must contain the 'lanIp:' parameter (URL-encoded colon 0x3a); presence of shell metacharacters immediately after the value indicates injection: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24)
- →Exploitation is observed in the wild as part of Mirai botnet campaigns targeting IoT/networking equipment; correlate with Mirai C2 activity
- →Traffic is plaintext (no TLS); deploy detection at perimeter and internal network boundaries
- ·Vulnerable only on Tenda AX3 firmware version V16.03.12.11; confirm device model and firmware before triaging alerts
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rj87-7v6g-2qr5: Tenda AX3 V16
ghsa_unreviewed·2023-03-15
CVE-2023-27240 [CRITICAL] CWE-77 GHSA-rj87-7v6g-2qr5: Tenda AX3 V16
Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip.
VulnCheck
Tenda ax3_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-27240 [CRITICAL] Tenda ax3_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
Tenda ax3_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip.
Affected: Tenda ax3_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; https://blog.xlab.qianxin.com/catddos-derivative-en/
Suricata
ET WEB_SPECIFIC_APPS Tenda AX3 Command Injection Attempt (CVE-2023-27240)
suricata·2024-11-05·CVSS 9.8
CVE-2023-27240 [CRITICAL] ET WEB_SPECIFIC_APPS Tenda AX3 Command Injection Attempt (CVE-2023-27240)
ET WEB_SPECIFIC_APPS Tenda AX3 Command Injection Attempt (CVE-2023-27240)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda AX3 Command Injection Attempt (CVE-2023-27240)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/goform/AdvSetLanip"; fast_pattern; http.request_body; content:"lanIp|3a|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; reference:cve,2023-27240; classtype:attempted-admin; sid:2057253; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_05, cve CVE_2023_27240, deployment Perimeter, deployment Internal, performance
No public exploits indexed.
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
Greynoiseio
Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens
blogs_greynoiseio·CVSS 8.8
[HIGH] Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2023-03-15
Published
Exploited in the wild