CVE-2026-0581
Remote Command Injection in Tenda AC1206 HTTPD Component
Publication date: 2026-01-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac1206 | 15.03.06.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0581 is a command injection vulnerability in the Tenda AC1206 router firmware version 15.03.06.23. It exists in the httpd service, specifically in the function formBehaviorManager at the /goform/BehaviorManager endpoint. The vulnerability arises because the parameters modulename, option, data, and switch are not properly sanitized before being used to construct system commands. This allows an attacker to remotely inject and execute arbitrary commands on the device by manipulating these parameters, compromising the device's security. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary commands on the affected Tenda AC1206 router without requiring physical or local access. This can lead to compromise of the device's confidentiality, integrity, and availability. An attacker could potentially take control of the router, disrupt network services, intercept or manipulate data, or use the device as a foothold for further attacks within the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring requests to the /goform/BehaviorManager endpoint on the Tenda AC1206 router, specifically looking for suspicious or malformed parameters modulename, option, data, and switch that may contain command injection payloads. Since the vulnerability involves command injection via these parameters, you can use network traffic inspection tools like Wireshark or tcpdump to capture HTTP requests to this endpoint and analyze them for unusual input. Additionally, you can attempt to send controlled test requests with benign payloads to see if the device executes unintended commands. However, no specific detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected Tenda AC1206 router with an alternative device, as no known countermeasures or patches currently exist. Since the vulnerability is remotely exploitable and involves command injection in the httpd service, disabling remote management or restricting access to the /goform/BehaviorManager endpoint may reduce exposure. Monitoring network traffic for exploitation attempts is also recommended. Ultimately, upgrading to a secure firmware version or switching to a different product is advised. [1]