CVE-2026-24105 Overview
CVE-2026-24105 is a command injection vulnerability in the Tenda AC15V1.0 router running firmware version V15.03.05.18_multi. The flaw resides in the goform/formsetUsbUnload endpoint, where the v1 parameter is passed to doSystemCmd without validation or sanitization. An unauthenticated attacker can inject arbitrary shell commands over the network and execute them with the privileges of the router's web management process. The vulnerability is classified under CWE-94: Improper Control of Generation of Code.
Critical Impact
Unauthenticated remote attackers can execute arbitrary operating system commands on affected Tenda AC15 devices, leading to full device compromise.
Affected Products
- Tenda AC15 (hardware version 1.0)
- Tenda AC15 firmware V15.03.05.18_multi
- cpe:2.3:o:tenda:ac15_firmware:15.03.05.18 and cpe:2.3:h:tenda:ac15:1.0
Discovery Timeline
- 2026-03-02 - CVE-2026-24105 published to NVD
- 2026-03-06 - Last updated in NVD database
Technical Details for CVE-2026-24105
Vulnerability Analysis
The Tenda AC15 web management interface exposes the goform/formsetUsbUnload handler, which is responsible for unmounting attached USB storage. The handler reads the v1 value from the HTTP request and forwards it directly into the doSystemCmd function. doSystemCmd wraps the libc system() call, so any shell metacharacters in v1 are interpreted by /bin/sh. Because the endpoint does not enforce authentication on the underlying network boundary, attackers reachable on the LAN — or on the WAN where remote management is enabled — can trigger the injection. Successful exploitation yields command execution as the web daemon, typically running with root privileges on Tenda consumer devices. With an EPSS score of 1.955% (83.667 percentile), the probability of near-term exploitation is elevated relative to most CVEs.
Root Cause
The root cause is missing input validation on the v1 parameter inside the formsetUsbUnload handler. The firmware concatenates v1 into a shell command string and passes the result to doSystemCmd without escaping, filtering, or restricting characters such as ;, |, &, and backticks.
Attack Vector
The attack is delivered over the network via a crafted HTTP POST request to /goform/formsetUsbUnload. No authentication, user interaction, or privileged access is required. An attacker appends shell metacharacters to the v1 parameter to chain arbitrary commands onto the command line built by doSystemCmd. See the public CVE-2026-24105 report for additional technical analysis.
No verified proof-of-concept code is published with this advisory. The vulnerability mechanism — direct concatenation of an attacker-controlled HTTP parameter into a system() invocation — is consistent with other documented Tenda goform command injection issues.
Detection Methods for CVE-2026-24105
Indicators of Compromise
- HTTP POST requests to /goform/formsetUsbUnload containing shell metacharacters (;, |, &, `, $()) in the v1 parameter.
- Outbound connections from the router to unfamiliar hosts shortly after USB-related management requests.
- Unexpected child processes spawned by the Tenda web daemon, such as sh, wget, curl, tftp, or busybox invocations.
Detection Strategies
- Inspect web traffic destined for Tenda AC15 management interfaces for requests targeting formsetUsbUnload with non-alphanumeric v1 values.
- Correlate router syslog entries with new outbound connections to identify command execution following management API calls.
- Monitor DNS queries originating from the router for lookups associated with malware staging infrastructure.
Monitoring Recommendations
- Forward router and perimeter firewall logs to a centralized analytics platform and alert on HTTP requests matching goform/formset* patterns from untrusted segments.
- Baseline normal management traffic so anomalous POSTs to USB-related endpoints generate alerts.
- Track firmware version inventories so devices running V15.03.05.18_multi are flagged for prioritized response.
How to Mitigate CVE-2026-24105
Immediate Actions Required
- Disable remote (WAN-side) web management on all Tenda AC15 devices.
- Restrict LAN access to the router management interface to a dedicated administrative VLAN or trusted hosts.
- Block external HTTP/HTTPS access to /goform/formsetUsbUnload at the perimeter or upstream firewall.
- Audit Tenda AC15 inventory for devices running firmware V15.03.05.18_multi and prioritize them for replacement or firmware updates.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Consult the Tenda support portal for firmware updates and advisories. If no fixed firmware is available, treat affected devices as end-of-support and replace them with a supported model.
Workarounds
- Place affected routers behind a network segment that denies untrusted hosts access to the management interface.
- Disable USB storage features if not in use, reducing the operational need to call formsetUsbUnload.
- Apply ACLs on upstream firewalls that drop HTTP POST requests targeting goform/formsetUsbUnload from non-administrative sources.
# Example iptables rule to block external access to the vulnerable endpoint
iptables -A FORWARD -p tcp --dport 80 \
-m string --string "/goform/formsetUsbUnload" --algo bm \
-j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
