CVE-2026-8259
Analyzed Analyzed - Analysis Complete
OS Command Injection in Tenda AC6 Router

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8259
EUVD
EUVD-2026-29015
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda ac6_firmware 15.03.06.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have significant impacts including unauthorized execution of arbitrary commands on the affected router. This can lead to compromise of the device's confidentiality, integrity, and availability.

  • Attackers can read sensitive files or data stored on the device.
  • Attackers may disrupt normal device operations, potentially causing denial of service.
  • The device could be used as a foothold for further attacks within the network.
Executive Summary

CVE-2026-8259 is an OS command injection vulnerability found in the Tenda AC6 V2.0 router firmware version 15.03.06.23. The flaw exists in the /goform/telnet endpoint of the httpd component, specifically in the handling of the "lan.ip" parameter. This parameter is processed without proper input sanitization and is directly passed to a system command execution function, allowing an attacker to inject arbitrary OS commands.

An attacker with valid session credentials can exploit this vulnerability remotely by sending a crafted POST request to the /goform/telnet endpoint with a malicious "lan.ip" value, enabling them to execute arbitrary commands on the device.

Detection Guidance

This vulnerability can be detected by sending a crafted POST request to the /goform/telnet endpoint with a malicious "lan.ip" parameter to test for command injection.

For example, you can attempt to inject a command such as reading the /etc/passwd file by including a payload in the "lan.ip" parameter.

A detection command might involve using curl or a similar HTTP client to send a POST request like:

  • curl -X POST http://[router_ip]/goform/telnet -d "lan.ip=127.0.0.1; cat /etc/passwd"

If the response contains contents of the /etc/passwd file or other command output, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected router's management interface to trusted users only, especially limiting remote access.

Ensure that only authorized users with valid session credentials can access the /goform/telnet endpoint.

If possible, disable or restrict the vulnerable function or service until a firmware update or patch is available.

Monitor network traffic for suspicious POST requests targeting /goform/telnet with unusual parameters.

Apply any available firmware updates from the vendor that address this vulnerability once released.

Compliance Impact

CVE-2026-8259 is an OS command injection vulnerability in the Tenda AC6 router that allows an attacker with valid credentials to execute arbitrary commands on the device. This can lead to unauthorized access and potential compromise of confidentiality, integrity, and availability of data handled by the device.

Such a vulnerability could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. If exploited, it may result in unauthorized data access or manipulation, violating data protection requirements and potentially leading to regulatory penalties.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8259. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart