CVE-2026-8259 - Vulnerability Details

- Tenda AC6 httpd telnet os command injection

Description

A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Published: 2026-05-11

Score: 5.1 Medium

EPSS: 4.4% Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the httpd component of the Tenda AC6 firmware, accessed through the undocumented /goform/telnet endpoint. By manipulating the lan.ip parameter, an attacker can inject arbitrary operating‑system commands that are executed on the router. This allows complete compromise of the device, with the potential to read or modify configuration, create backdoors, or pivot into the local network, due to a command injection flaw classified as CWE-77 and CWE-78.

Affected Systems

The vulnerable product is Tenda AC6. Firmware versions 2.0 and 15.03.06.23 are confirmed as affected. No other revisions are reported to be vulnerable.

Risk and Exploitability

The CVSS base score of 5.1 indicates a moderate impact on confidentiality, integrity, and availability. Because the exploit can be triggered from the router’s web interface, an attacker only needs access to that interface, which may be reachable remotely, to reach the vulnerable endpoint. The EPSS score of 4% indicates a moderate probability of exploitation, and the vulnerability is not listed in CISA KEV, suggesting that widespread exploitation is not yet documented. While the description does not detail authentication requirements, it is inferred that the telnet endpoint does not require prior authentication, allowing unauthenticated users with web access to trigger the injection.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tenda

AC6

affected

Version	Status	Constraints
`2.0`	affected	—
`15.03.06.23`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:tenda:ac6_firmware:15.03.06.23:*:*:*:*:*:*:*

cpe:2.3:h:tenda:ac6:2.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Tenda

Ac6

100%

Version	Status	Scheme	Platform
`2.0`	affected	generic	—
`15.03.06.23`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update that removes the vulnerable /goform/telnet endpoint or otherwise patches the command injection.
If no firmware update is available, block or deny access to /goform/telnet by configuring the router’s firewall or disabling the telnet service in the admin settings.
Restrict management access to the router to trusted IP addresses or local‑only mode to minimize the attack surface.

Generated by OpenCVE AI on June 18, 2026 at 08:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.04447.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/Tenda%20AC6V2%20TendaTelnet%20Command%20Injection.md
https://vuldb.com/submit/809877
https://vuldb.com/vuln/362556
https://vuldb.com/vuln/362556/cti
https://www.tenda.com.cn/

History

Mon, 11 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:h:tenda:ac6:2.0:::::::* cpe:2.3:o:tenda:ac6_firmware:15.03.06.23:::::::*

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda ac6
Vendors & Products		Tenda ac6

Mon, 11 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Title		Tenda AC6 httpd telnet os command injection
First Time appeared		Tenda Tenda ac6 Firmware
Weaknesses		CWE-77 CWE-78
CPEs		cpe:2.3:o:tenda:ac6_firmware::::::::
Vendors & Products		Tenda Tenda ac6 Firmware
References		https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/Tenda%20AC6V2%20TendaTelnet%20Command%20Injection.md https://vuldb.com/submit/809877 https://vuldb.com/vuln/362556 https://vuldb.com/vuln/362556/cti https://www.tenda.com.cn/
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tenda Ac6 Ac6 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-11T01:00:15.246Z

Updated: 2026-05-11T10:55:16.853Z

Reserved: 2026-05-10T15:07:35.155Z

Link: CVE-2026-8259

Vulnrichment

Updated: 2026-05-11T10:55:08.536Z

NVD

Status : Analyzed

Published: 2026-05-11T02:16:27.417

Modified: 2026-06-17T11:03:44.550

Link: CVE-2026-8259

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T08:30:04Z

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object