CVE-2026-5547
OS Command Injection in Tenda AC10 /bin/httpd Allows Remote Attack
Publication date: 2026-04-05
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac10_firmware | 16.03.10.10_multi_tde01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5547 is a critical command injection vulnerability found in the Tenda AC10 V4 router firmware, specifically in the function formAddMacfilterRule within the /bin/httpd binary.
The vulnerability arises because user input obtained via websGetVar() is passed directly to doSystemCmd(), a function that executes operating system commands, without sufficient sanitization.
Although there is partial validation of the MAC address parameter, it is inadequate to prevent command injection. This insecure pattern is systemic, affecting at least 21 functions in the httpd binary that invoke doSystemCmd() with user-influenced data.
An authenticated attacker with valid router admin credentials can exploit this flaw to inject arbitrary OS commands, potentially achieving full root-level code execution on the device.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to inject arbitrary operating system commands on the affected router, leading to full root-level code execution.
The attacker can manipulate the device remotely, potentially taking full control over the router, altering configurations, intercepting or redirecting network traffic, and compromising the security and availability of the network.
Such control could lead to further attacks on connected devices, data theft, or disruption of network services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability affects the Tenda AC10 V4 router firmware, specifically the function formAddMacfilterRule in the /bin/httpd binary, which allows OS command injection via user input.
Detection can focus on identifying attempts to exploit command injection through the router's web interface, especially targeting MAC filter rule additions or other vulnerable goform handlers.
Since the attack requires authenticated access, monitoring for unusual or suspicious commands executed on the router or unexpected network traffic patterns related to the router's management interface may help.
Specific commands to detect exploitation attempts are not provided in the resources, but general approaches include:
- Monitoring HTTP POST requests to endpoints related to MAC filter rules (e.g., formAddMacfilterRule) for suspicious payloads containing shell metacharacters.
- Using network traffic analysis tools (e.g., tcpdump, Wireshark) to capture and inspect management interface traffic for anomalous inputs.
- On the device, if accessible, checking process execution logs or command history for unexpected commands.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's management interface to trusted users only, as exploitation requires authenticated access.
Ensure that only authorized personnel have admin credentials to the router.
If possible, disable remote management features to prevent remote exploitation.
Apply any available firmware updates or patches from the vendor that address this vulnerability.
Longer term, remediation involves sanitizing all user inputs before passing them to system command execution functions, implementing allowlist validation for parameters like MAC addresses, and avoiding constructing OS commands from user input.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-5547 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.