The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTenda Ac15
HWTendawszystkie wersjeTenda Ac15 Firmware
OSTenda15.03.05.19
CISA KEV — detailsi
- Vendori
- Tenda
- Producti
- AC1900 Router AC15 Model
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
Required action (CISA)i
Apply updates per vendor instructions.
CISA descriptioni
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
⏰CISA DEADLINE: 3 maja 2022
Tags
Command Injection
Related vulnerabilities
CVE-2026-24103CRITICAL9.8PL ✓ten sam produkt
Buffer overflow w Tenda AC15 — podatność w goform/formSetMacFilterCfg
CVE-2026-24105CRITICAL9.8PL ✓ten sam produkt
Command injection w Tenda AC15 — brak walidacji parametru w formsetUsbUnload
CVE-2026-24101CRITICAL9.8PL ✓ten sam produkt
Command injection w Tenda AC15 — brak walidacji parametru formSetIptv
CVE-2025-63666CRITICAL9.8PL ✓ten sam produkt
Tenda AC15: słaby mechanizm cookie sesji ujawniający hash hasła
CVE-2025-29462CRITICAL9.8PL ✓ten sam produkt
Buffer overflow w Tenda AC15 — przepełnienie stosu przez HTTP