NULL pointer dereference in Tenda Ac10
CVE-2024-10280
A vulnerability was found in Tenda AC6, AC7, AC8, AC9, AC10, AC10U, AC15, AC18, AC500 and AC1206 up to 20241022. It has been rated as problematic. This issue affects the function websReadEvent of the file /goform/GetIPTV. The manipulation…
EPSS: 0.002 (37.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Tenda Ac10 — versions 20241022
- Tenda Ac10u — versions 20241022
- Tenda Ac1206 — versions 20241022
- Tenda Ac15 — versions 20241022
- Tenda Ac18 — versions 20241022
- Tenda Ac500 — versions 20241022
- Tenda Ac6 — versions 20241022
- Tenda Ac7 — versions 20241022
- Tenda Ac8 — versions 20241022
- Tenda Ac9 — versions 20241022
Weakness classification (CWE)
Public proof-of-concept exploits
References
- VDB-281555 | Tenda AC6/AC7/AC8/AC9/AC10/AC10U/AC15/AC18/AC500/AC1206 GetIPTV websReadEvent null pointer dereference (vdb-entry, technical-description)
- VDB-281555 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
- Submit #426417 | Tenda AC8v4 V16.03.34.06 NULL Pointer Dereference (third-party-advisory)
- github.com/JohenanLi/router_vuls/blob/main/websReadEvent/websReadEvent.md (exploit)
- www.tenda.com.cn/ (product)
Frequently asked questions
- What is CVE-2024-10280?
- CVE-2024-10280 is a medium-severity vulnerability in Tenda Ac10, classified under NULL Pointer Dereference. CVSS score: 6.5/10. Published 2024-10-23.
- How severe is CVE-2024-10280?
- Medium severity. CVSS v3 base score is 6.5 out of 10.
- Is CVE-2024-10280 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.