An issue was discovered in goform/formSetIptv in Tenda AC15V1.0 V15.03.05.18_multi. When the condition is met, `s1_1` will be passed into sub_B0488, concatenated into `doSystemCmd`. The value of s1_1 is not validated, potentially leading to a command injection vulnerability.
The vulnerability exists in the goform/formSetIptv function, where the `s1_1` parameter, when a specific condition is met, is passed to the sub_B0488 function and concatenated directly into a string executed as a system command by `doSystemCmd`. Since the `s1_1` parameter value is not verified or sanitized in any way, an attacker can inject arbitrary system commands through a crafted network request. The attack does not require authentication or user interaction.
An attacker gains the ability to remotely execute arbitrary code (RCE) with the privileges of the process handling the request, which may lead to complete takeover of the device, loss of confidentiality, integrity, and availability.
Apply patches available from the manufacturer according to the references. It is recommended to check the Tenda manufacturer's website at the address indicated in the references and restrict access to the device's administrative panel exclusively from trusted networks or IP addresses until the patch is implemented.
Tenda AC15 V1.0 with software version V15.03.05.18_multi
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTenda Ac15
HWTenda1.0Tenda Ac15 Firmware
OSTenda15.03.05.18_multi
Related vulnerabilities
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute a...
Buffer overflow w Tenda AC15 — podatność w goform/formSetMacFilterCfg
Command injection w Tenda AC15 — brak walidacji parametru w formsetUsbUnload
Tenda AC15: słaby mechanizm cookie sesji ujawniający hash hasła
Buffer overflow w Tenda AC15 — przepełnienie stosu przez HTTP