Description
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the value of `usbPartitionName`, which is directly used in `doSystemCmd`, may lead to critical command injection vulnerabilities.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: 1.3% Low
KEV: No
Impact: Command Injection
Action: Patch Immediately
AI Analysis

Impact

A flaw in the Tenda W20E firmware allows the unvalidated value of the parameter usbPartitionName to be inserted directly into a system command. This oversight permits an attacker to execute arbitrary shell commands with the privileges of the router, potentially compromising device configuration and data confidentiality. The issue is catalogued as CWE‑94, representing command injection weaknesses.

Affected Systems

The vulnerability is present in Tenda routers running the W20E model with firmware version V4.0br_V15.11.0.6. No other vendor or product information is enumerated.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical impact, and the EPSS score of 1% signals that exploitation is unlikely but possible. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. Because the component in question is accessed via the USB interface, the most probable attack vector involves a local attacker or one with physical access to the device, who can supply a malicious usbPartitionName value. Such an attacker can run arbitrary commands, effectively gaining full control of the router’s operating system.

Generated by OpenCVE AI on April 16, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official firmware update for the Tenda W20E that addresses the command‑injection flaw.
  • If no patch is available, disable or restrict the USB functionality that exposes usbPartitionName to prevent untrusted input from reaching doSystemCmd.
  • Configure network segmentation or firewall rules to limit external management access to the router, reducing the risk of remote exploitation.
  • Implement input validation for any future firmware that involves external parameters, following the guidelines for CWE‑94 to mitigate command‑injection risks.

Generated by OpenCVE AI on April 16, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Title Critical Command Injection via USB Partition Parameter in Tenda W20E Router

Tue, 03 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda w20e
Tenda w20e Firmware
CPEs cpe:2.3:h:tenda:w20e:4.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:w20e_firmware:15.11.0.6:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda w20e
Tenda w20e Firmware

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the value of `usbPartitionName`, which is directly used in `doSystemCmd`, may lead to critical command injection vulnerabilities.
References

Subscriptions

Tenda W20e W20e Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T01:48:20.554Z

Reserved: 2026-01-21T00:00:00.000Z

Link: CVE-2026-24107

cve-icon Vulnrichment

Updated: 2026-03-03T01:48:15.268Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T15:16:33.020

Modified: 2026-03-03T15:55:11.547

Link: CVE-2026-24107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:00:14Z

Weaknesses