Description
An issue was discovered in goform/formSetIptv in Tenda AC15V1.0 V15.03.05.18_multi. When the condition is met, `s1_1` will be passed into sub_B0488, concatenated into `doSystemCmd`. The value of s1_1 is not validated, potentially leading to a command injection vulnerability.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: 1.3% Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the goform/formSetIptv handler of Tenda AC15 routers. An unvalidated input parameter, s1_1, is concatenated directly into a system command string, allowing an attacker to inject arbitrary OS commands. This flaw can lead to remote execution of arbitrary code on the device, compromising confidentiality, integrity, and availability.

Affected Systems

The flaw affects Tenda AC15 routers running firmware version 15.03.05.18_multi (v1.0). The affected hardware is the AC15 model; the exact firmware identifier is ac15_firmware:15.03.05.18_multi.

Risk and Exploitability

The CVSS base score is 9.8, indicating critical severity. The EPSS score of 1% suggests a non-negligible chance of exploitation in the near term. No listing in CISA KEV does not diminish the risk. Although the attack vector is not explicitly described, it is inferred to be via the router’s web interface which is typically exposed on the local network, allowing any user who can reach the interface to send crafted requests. The lack of input validation directly into system command execution makes the vulnerability highly exploitable.

Generated by OpenCVE AI on April 16, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to the latest firmware released by Tenda that fixes the command injection issue.
  • Restrict external access to the router’s web management interface by configuring firewall rules or placing the device behind a VPN.
  • Disable or isolate the IPTV service or any feature that interacts with the formSetIptv endpoint if a patch is not immediately available.

Generated by OpenCVE AI on April 16, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Title Command Injection in Tenda AC15 Router FormSetIptv

Tue, 03 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda ac15
Tenda ac15 Firmware
CPEs cpe:2.3:h:tenda:ac15:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:ac15_firmware:15.03.05.18_multi:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda ac15
Tenda ac15 Firmware

Mon, 02 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in goform/formSetIptv in Tenda AC15V1.0 V15.03.05.18_multi. When the condition is met, `s1_1` will be passed into sub_B0488, concatenated into `doSystemCmd`. The value of s1_1 is not validated, potentially leading to a command injection vulnerability.
References

Subscriptions

Tenda Ac15 Ac15 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-02T16:02:26.391Z

Reserved: 2026-01-21T00:00:00.000Z

Link: CVE-2026-24101

cve-icon Vulnrichment

Updated: 2026-03-02T16:02:18.708Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T16:16:24.407

Modified: 2026-03-03T19:44:19.120

Link: CVE-2026-24101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses