CVE-2022-40847 is a command injection vulnerability identified in the Tenda AC1200 Router model W15Ev2 running firmware version V15.11.0.10(1576). The vulnerability exists in the function formSetFixTools, which improperly handles the hostname parameter. An attacker with low privileges and local access can exploit this flaw by injecting arbitrary commands through the hostname parameter, which the router executes on the underlying system. This leads to full compromise of the device, allowing an attacker to execute arbitrary code with high privileges. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that user input is not properly sanitized before being passed to system commands. The CVSS v3.1 base score is 7.8 (high severity), with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning the attack requires local access but low complexity and privileges, no user interaction, and results in high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported, and no patches or vendor advisories are currently linked. The vulnerability allows attackers to take full control of the router, potentially leading to network compromise, interception of traffic, or pivoting to other internal systems.

For European organizations, this vulnerability poses a significant risk, especially for those using Tenda AC1200 W15Ev2 routers in their network infrastructure. Exploitation can lead to complete device takeover, enabling attackers to intercept, modify, or redirect network traffic, potentially compromising sensitive data and internal communications. The router compromise can also serve as a foothold for lateral movement within corporate networks, increasing the risk of broader network breaches. Given the high impact on confidentiality, integrity, and availability, critical business operations relying on these routers could be disrupted. Additionally, compromised routers can be used as part of botnets or for launching further attacks, affecting organizational reputation and compliance with data protection regulations such as GDPR. The requirement for local or adjacent network access limits remote exploitation but does not eliminate risk, as attackers may gain local access through phishing, insider threats, or compromised devices within the network.

Organizations should first inventory their network devices to identify the presence of Tenda AC1200 W15Ev2 routers running the vulnerable firmware version. Since no official patches are currently linked, immediate mitigation includes restricting physical and network access to these devices, especially limiting access to trusted administrators only. Network segmentation should be enforced to isolate vulnerable routers from critical systems and sensitive data. Implement strict access controls and monitoring on management interfaces to detect and prevent unauthorized access attempts. Consider replacing vulnerable routers with models from vendors providing timely security updates. Additionally, monitor network traffic for unusual patterns that may indicate exploitation attempts. If feasible, disable or restrict the functionality related to the formSetFixTools function or the hostname parameter through configuration changes or firewall rules. Regularly review vendor communications for updates or patches addressing this vulnerability.