Description
An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.18_multi. The value of `v1` was not checked, potentially leading to a command injection vulnerability if injected into doSystemCmd.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: 1.9% Low
KEV: No
Impact: Command injection leading to remote code execution
Action: Immediate Patch
AI Analysis

Impact

Tenda AC15 routers running firmware V15.03.05.18 expose the goform/formsetUsbUnload endpoint without validating the v1 parameter, allowing attackers to inject shell commands that are executed by the doSystemCmd function. This flaw can be exploited to run arbitrary code, compromise the router, and potentially pivot to other devices on the network, severely impacting confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects Tenda AC15 routers with firmware version 15.03.05.18. No other products or revisions are listed as impacted.

Risk and Exploitability

Based on the description, the vulnerability carries a CVSS score of 9.8, indicating critical severity, and an EPSS score of 2%, suggesting a measurable but not high probability of exploitation soon. It is not listed in the CISA KEV catalog. Attackers are likely able to exploit it by sending a crafted HTTP POST or GET request to the formsetUsbUnload endpoint, embedding malicious commands in the v1 field. No special privileges are required beyond access to the router’s web interface, making the attack vector relatively straightforward for lateral adversaries.

Generated by OpenCVE AI on April 17, 2026 at 13:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Tenda firmware update that addresses command injection in the USB unload form
  • If no update is available, block or filter requests to the goform/formsetUsbUnload URL at the router or upstream firewall
  • Disable USB unloading functionality or restrict it to trusted interfaces if possible

Generated by OpenCVE AI on April 17, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title Command Injection in Tenda AC15 via Unchecked Form Parameter

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda ac15 Firmware
CPEs cpe:2.3:h:tenda:ac15:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:ac15_firmware:15.03.05.18:*:*:*:*:*:*:*
Vendors & Products Tenda ac15 Firmware

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda ac15
Vendors & Products Tenda
Tenda ac15

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.18_multi. The value of `v1` was not checked, potentially leading to a command injection vulnerability if injected into doSystemCmd.
References

Subscriptions

Tenda Ac15 Ac15 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T14:59:43.107Z

Reserved: 2026-01-21T00:00:00.000Z

Link: CVE-2026-24105

cve-icon Vulnrichment

Updated: 2026-03-03T14:59:26.163Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:32.793

Modified: 2026-03-06T21:05:36.243

Link: CVE-2026-24105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses