cbcvebase.
CVE-2024-2896
published 2024-03-26

CVE-2024-2896: A vulnerability was found in Tenda AC7 15.03.06.44. It has been rated as critical. This issue affects the function formWifiWpsStart of the file…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.86%
76.5th percentile
A vulnerability was found in Tenda AC7 15.03.06.44. It has been rated as critical. This issue affects the function formWifiWpsStart of the file /goform/WifiWpsStart. The manipulation of the argument index leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257939. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
tendaac7
tendaac7_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/WifiWpsStart
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda WifiWpsStart index Parameter Buffer Overflow Attempt (CVE-2025-45429, CVE-2024-2896, CVE-2024-2811, CVE-2024-2706)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:20; content:"/goform/WifiWpsStart"; fast_pattern; http.request_body; content:"index|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:cve,2025-45429; reference:url,github.com/SolitaryGrass/IoT_vuln/blob/main/tenda/AC6/AC6V2.0RTL_V15.03.06.23/formWifiWpsStart/poc.py; reference:cve,2024-2811; reference:cve,2024-2706; reference:cve,2024-2896; classtype:web-application-attack; sid:2064111; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_08_22, cve CVE_2025_45429_CVE_2024_2896_CVE_2024_2811_CVE_2024_2706, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic uses HTTP POST method targeting the URI /goform/WifiWpsStart with a body parameter 'index=' followed by an oversized value (>=100 chars before & or end of body), indicating a stack-based buffer overflow attempt.
  • The URI /goform/WifiWpsStart has a fixed length of exactly 20 bytes; use a URI bsize check of 20 to reduce false positives.
  • The attack is plaintext (non-TLS) and should be detected at the network perimeter and internally; no TLS inspection required.
  • The vulnerability is remotely exploitable via manipulation of the 'index' argument in the formWifiWpsStart function, leading to a stack-based buffer overflow.
  • ·The Snort/Suricata rule (sid:2064111) covers multiple CVEs simultaneously (CVE-2025-45429, CVE-2024-2896, CVE-2024-2811, CVE-2024-2706); a positive alert does not uniquely identify CVE-2024-2896 without additional context.
  • ·The affected firmware version is Tenda AC7 15.03.06.44; the PoC reference points to AC6 firmware AC6V2.0RTL_V15.03.06.23, suggesting the same vulnerable endpoint exists across multiple Tenda device families and firmware versions.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.