Skip to main content

Tenda Ac23 Firmware

If your router is connected to the internet:

Some iterations of Tenda firmware suffer from logic flaws in the authentication handler.

For the tech-savvy, the Tenda AC23 firmware story doesn't end with the factory settings. The AC23 has gained a cult following in the enthusiast community because its hardware is often "overpowered" compared to its price point.

A significant feature of the AC23 ecosystem is third-party firmware support, specifically OpenWRT. For users willing to void their warranty, flashing OpenWRT onto the AC23 unlocks capabilities locked away by Tenda’s consumer-friendly interface: tenda ac23 firmware

This duality makes the AC23 firmware unique. It is beginner-friendly out of the box but possesses the architecture to become a hobbyist’s playground.

CVE-2020-10987 / Generic Tenda RCE

One of the most critical classes of vulnerabilities in the AC23 is the improper sanitization of inputs passed to the system() function. If your router is connected to the internet:

Hypothetical Exploit Scenario: If the router has a function setting the device MAC address via a POST request to /goform/setMac, and the backend code looks like:

sprintf(cmd, "ifconfig eth0 hw ether %s", mac_address);
system(cmd);

An attacker could send mac_address as 00:11:22:33:44:55; telnetd -l /bin/sh -p 9999. This would execute the ifconfig command and subsequently open a telnet shell on port 9999.

There are two methods to update: Automatic (via Cloud) and Manual. For the tech-savvy, the Tenda AC23 firmware story

Previous firmware had a nasty habit of dropping 5 GHz clients every 48-72 hours. The latest build patches the Broadcom driver (the AC23 uses a Realtek RTL8197FS chip, interestingly) to fix DHCP lease renewal conflicts. Result? My iPhone 15 and laptop stayed connected for 14+ days without a manual reboot.

| You have firmware from 2021-2022 | → Update immediately (security risks) | |----------------------------------|-------------------------------------------| | You have v16.03.11.20 (late 2023) | → Probably skip unless you have Wi-Fi drops | | You use IPv6 heavily | → Don’t update (wait for next beta) | | You need stable 5 GHz coverage | → Yes, update to v.13.08 |

Most people set up their router, toss the box in the closet, and never think about it again. That is a security risk. Router manufacturers release firmware updates for three critical reasons: