Tenda HG6 v3.3.0 Remote Command Injection Vulnerability (ZSL-2022-5706)

Key Information Title: Tenda HG6 v3.3.0 Remote Command Injection Vulnerability Advisory ID: ZSL-2022-5706 Type: Local/Remote Impact: System Access, DoS Risk: 4/5 Release Date: 03.05.2022 Summary: HG6 is an intelligent router passive optical network terminal used in Tenda's FTTH solution, which contains an authentication bypass and OS command injection vulnerability. Description: The formPing, formPing6, formTraceroute, and formTraceroute6 interfaces, via the 'pingAddr' and 'traceAddr' HTTP POST parameters, can be exploited to inject and execute arbitrary shell commands. Vendor: Tenda Technology Co., Ltd. Affected Version: - Firmware version: 3.3.0-210926 - Software version: v1.1.0 - Hardware Version: v1.0 - Check Version: TD_HG6_XPON_TDE_ISP Tested On: Boa/0.93.15 Vendor Status: - [22.04.2022] Vulnerability discovered - [26.04.2022] Vendor contacted - [01.05.2022] No response from vendor - [03.05.2022] Public security advisory released PoC: tenda_hg6_cmdinj.txt Credits: Gjoko Krstic for discovering the vulnerability References: - [1] https://packetstormsecurity.com/files/166932/Tenda-HG6-3.3.0-Remote-Command-Injection.html - [2] https://cxsecurity.com/issue/WLB-2022050009 - [3] https://exchange.xforce.ibmcloud.com/vulnerabilities/225715 - [4] https://www.sploitus.com/exploit?id=ZSL-2022-5706 - [5] https://www.exploit-db.com/exploits/50916 - [6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30425 - [7] https://nvd.nist.gov/vuln/detail/CVE-2022-30425 Changelog: - [03.05.2022] - Initial release - [09.05.2022] - Added references [1],[2],[3],[4] - [13.05.2022] - Added reference [5] - [29.05.2022] - Added references [6],[7]

Goal Reached Thanks to every supporter — we hit 100%!

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability (ZSL-2022-5706)