cbcvebase.
CVE-2024-4112
published 2024-04-24

CVE-2024-4112: A vulnerability classified as critical has been found in Tenda TX9 22.03.02.10. This affects the function sub_42CB94 of the file /goform/SetVirtualServerCfg…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.70%
74.4th percentile
A vulnerability classified as critical has been found in Tenda TX9 22.03.02.10. This affects the function sub_42CB94 of the file /goform/SetVirtualServerCfg. The manipulation of the argument list leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-261855. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
tendatx9
tendatx9_pro_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/SetVirtualServerCfg
path/goform/SetVirtualServerCfg
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetVirtualServerCfg list Parameter Buffer Overflow Attempt (CVE-2025-29361, CVE-2024-4112, CVE-2024-40416, CVE-2024-10282, CVE-2025-65220)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/SetVirtualServerCfg"; fast_pattern; http.request_body; content:"list|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:cve,2024-4112; reference:url,www.cve.org/CVERecord/SearchResults?query=SetVirtualServerCfg; reference:cve,2025-29361; reference:cve,2024-10282; reference:cve,2024-40416; reference:url,github.com/peris-navince/founded-0-days/blob/main/Tenda/ac8/formSetVirtualSer/1.md; reference:cve,2025-65220; classtype:web-application-attack; sid:2065157; rev:1; metadata:affected_product Tenda, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_10, cve CVE_2024_40416_CVE_2024_4112_CVE_2024_10282_CVE_2025_29361, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
list=<100+ bytes>
  • Look for HTTP POST requests to /goform/SetVirtualServerCfg with a 'list' parameter value exceeding 100 characters in the request body, indicative of a stack-based buffer overflow attempt.
  • The URI /goform/SetVirtualServerCfg has an exact byte size of 27; use bsize matching to reduce false positives.
  • Traffic is expected in plaintext (not TLS); focus detection on unencrypted HTTP to internal networking equipment.
  • The exploit targets the function sub_42CB94 via the 'list' argument; the manipulation of this argument leads to a stack-based buffer overflow exploitable remotely.
  • ·The Snort/Suricata rule (sid:2065157) covers multiple CVEs simultaneously (CVE-2025-29361, CVE-2024-4112, CVE-2024-40416, CVE-2024-10282, CVE-2025-65220); a positive alert does not exclusively confirm CVE-2024-4112 exploitation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.