Overview

Liu Xinpeng, working at basic R&D center(Security Research Institute) of Eversec Technology Corporation, has found two security bugs of the firmware(V15.11.0.13_CN) of Tenda W15E using his vulnerability detection tool.
They are:

1: Heap overflow

Impact: If a user is using the web UI of one of the routers when the HTTP service is interrupted, the web UI becomes inaccessible to the user for 1 to 2 seconds. Then, the user has to relog in to the web UI. This vulnerability does not affect the router configuration or internet connectivity.

2: Directory traversal

Impact: Attackers can access almost all resources (except encrypted information) reserved on the router by specifying a URL. For W15E, most settings (including username and password) of W15E have been encrypted.

Tenda has fixed the vulnerabilities and released new firmware(V15.11.0.14) on Tenda's official website before they were disclosed. Generally, the vulnerabilities do not affect users. But if users are worried about the vulnerabilities, they can upgrade their routers using the new firmware.