CVE-2024-46546

Vulnerability

CVE-2024-46546 is a stack buffer overflow vulnerability in the NEXTU FLETA AX1500 WIFI6 Router running firmware version v1.0.3 [1]. The flaw resides in the /boafrm/formFilter handler of the embedded Boa web server (last released in 2005) [1]. When the administrator endpoint /urlfilter.htm is accessed, the url parameter is copied into a 7-byte fixed-size stack buffer via the strcpy() function without any length validation, causing a buffer overflow [1]. The router must be in its factory default state or the user must be logged in to reach the vulnerable code path [1].

Exploitation

An attacker with network access to the router sends a crafted POST request to /boafrm/formFilter with an overly long url parameter [1]. No prior authentication is required if the device is in its default state; if the device is configured, the attacker must first be logged into the web admin interface [1]. The request must also include a successful GET to /urlfilter.htm to ensure the filtering mechanism is active [1]. The strcpy() function in the formFilter handler then writes the attacker-supplied data past the small stack buffer, overwriting adjacent memory including the return address (RET) on the stack [1].

Impact

Successful exploitation causes a stack overflow, leading to a Denial of Service (DoS) due to corrupted stack memory [1]. The attacker can also control the overwritten RET address, enabling arbitrary code execution on the device at the privilege level of the Boa web server, which runs with root privileges on the MIPS-based Realtek chipset [1]. This could allow full compromise of the router, including exfiltration of network traffic, modification of routing rules, or further lateral movement [1].

Mitigation

At the time of publication (2025-04-22), no patched firmware version has been released by NEXTU [1]. The vendor has not announced a fix or workaround [1]. Users are advised to restrict remote access to the router's administrative web interface, ensure the device is not exposed to untrusted networks, and monitor for future firmware updates [1]. The CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.