CVE-2026-5547
Received Received - Intake
OS Command Injection in Tenda AC10 /bin/httpd Allows Remote Attack

Publication date: 2026-04-05

Last updated on: 2026-04-30

Assigner: VulDB

Description
A vulnerability has been found in Tenda AC10 16.03.10.10_multi_TDE01. Affected is the function formAddMacfilterRule of the file /bin/httpd. Such manipulation leads to os command injection. It is possible to launch the attack remotely. Multiple endpoints might be affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5547
EUVD
EUVD-2026-19042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda ac10_firmware 16.03.10.10_multi_tde01
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5547 is a critical command injection vulnerability found in the Tenda AC10 V4 router firmware, specifically in the function formAddMacfilterRule within the /bin/httpd binary.

The vulnerability arises because user input obtained via websGetVar() is passed directly to doSystemCmd(), a function that executes operating system commands, without sufficient sanitization.

Although there is partial validation of the MAC address parameter, it is inadequate to prevent command injection. This insecure pattern is systemic, affecting at least 21 functions in the httpd binary that invoke doSystemCmd() with user-influenced data.

An authenticated attacker with valid router admin credentials can exploit this flaw to inject arbitrary OS commands, potentially achieving full root-level code execution on the device.

Impact Analysis

This vulnerability allows an authenticated attacker to inject arbitrary operating system commands on the affected router, leading to full root-level code execution.

The attacker can manipulate the device remotely, potentially taking full control over the router, altering configurations, intercepting or redirecting network traffic, and compromising the security and availability of the network.

Such control could lead to further attacks on connected devices, data theft, or disruption of network services.

Detection Guidance

The vulnerability affects the Tenda AC10 V4 router firmware, specifically the function formAddMacfilterRule in the /bin/httpd binary, which allows OS command injection via user input.

Detection can focus on identifying attempts to exploit command injection through the router's web interface, especially targeting MAC filter rule additions or other vulnerable goform handlers.

Since the attack requires authenticated access, monitoring for unusual or suspicious commands executed on the router or unexpected network traffic patterns related to the router's management interface may help.

Specific commands to detect exploitation attempts are not provided in the resources, but general approaches include:

  • Monitoring HTTP POST requests to endpoints related to MAC filter rules (e.g., formAddMacfilterRule) for suspicious payloads containing shell metacharacters.
  • Using network traffic analysis tools (e.g., tcpdump, Wireshark) to capture and inspect management interface traffic for anomalous inputs.
  • On the device, if accessible, checking process execution logs or command history for unexpected commands.
Mitigation Strategies

Immediate mitigation steps include restricting access to the router's management interface to trusted users only, as exploitation requires authenticated access.

Ensure that only authorized personnel have admin credentials to the router.

If possible, disable remote management features to prevent remote exploitation.

Apply any available firmware updates or patches from the vendor that address this vulnerability.

Longer term, remediation involves sanitizing all user inputs before passing them to system command execution functions, implementing allowlist validation for parameters like MAC addresses, and avoiding constructing OS commands from user input.

Compliance Impact

The provided information does not specify how the CVE-2026-5547 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5547. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart