CVE-2026-8263
Command Injection in Tenda AC6 Router Firmware
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac6 | 15.03.06.49_multi_tde01 |
| tenda | ac10u | to 15.03.06.49 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Tenda AC6 and AC10U devices, specifically in the fromSetWirelessRepeat function of the httpd component. It involves improper handling of input parameters such as mac and ssid, which allows an attacker to perform OS command injection remotely. This means that an attacker can manipulate these inputs to execute arbitrary commands on the device.
Additionally, for the Tenda AC10U device, a related stack overflow vulnerability occurs because the wpapsk_crypto parameter is copied without length validation, potentially leading to memory corruption.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to execute arbitrary operating system commands on affected Tenda devices. This can lead to unauthorized control over the device, potentially allowing attackers to disrupt network operations, steal sensitive information, or use the device as a foothold for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a specially crafted request to the vulnerable endpoint /goform/WifiExtraSet targeting the fromSetWirelessRepeat function. A proof-of-concept involves sending a payload with an excessively long string (e.g., 0x500 'a' characters) in parameters such as wpapsk_crypto to trigger the stack overflow.
You can use tools like curl or similar HTTP request utilities to test the endpoint. For example, a command might look like:
- curl -X POST http://[router_ip]/goform/WifiExtraSet -d "wpapsk_crypto=$(python3 -c 'print("a"*1280)')"
Monitoring network traffic for unusual or malformed requests to /goform/WifiExtraSet can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch has been released by the vendor yet, immediate mitigation steps include:
- Restrict remote access to the router's management interface to trusted networks only.
- Disable remote management features if not needed.
- Monitor the vendor's official website for firmware updates addressing this vulnerability.
- Implement network-level protections such as firewall rules to block suspicious requests targeting /goform/WifiExtraSet.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.