CVE-2026-38142 Overview
CVE-2026-38142 is an unauthenticated operating system command injection vulnerability in the Tenda AC18 wireless router running firmware version v15.03.05.05. The flaw exists in the /goform/fast_setting_internet_set endpoint, which fails to sanitize input passed through the mac parameter. Attackers on the network can inject shell metacharacters into this parameter to execute arbitrary commands on the device. The vulnerability is classified under [CWE-77] (Improper Neutralization of Special Elements used in a Command) and has been documented as a second-order command injection issue.
Critical Impact
Unauthenticated attackers with network access to the router can execute arbitrary operating system commands, enabling device takeover, traffic interception, and pivoting into internal networks.
Affected Products
- Tenda AC18 wireless router
- Firmware version v15.03.05.05
- /goform/fast_setting_internet_set HTTP endpoint
Discovery Timeline
- 2026-07-01 - CVE-2026-38142 published to the National Vulnerability Database
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-38142
Vulnerability Analysis
The Tenda AC18 exposes a web management interface that includes the /goform/fast_setting_internet_set handler for configuring internet connectivity during initial setup. This handler accepts a mac parameter intended to hold a client MAC address. The parameter value is passed to an underlying system shell without adequate validation or escaping. Because the endpoint does not require authentication, any attacker who can reach the router's management interface can send a crafted POST request that includes shell metacharacters in mac.
The issue is described as a second-order command injection. The tainted mac value is stored during the request and later concatenated into a system command executed by the router firmware. When that downstream execution occurs, the injected payload runs with the privileges of the web service, typically root on embedded Linux routers.
Root Cause
The root cause is missing input neutralization on the mac parameter before it is used to build an operating system command. The firmware trusts the client-supplied value and passes it directly to a shell interpreter, matching the [CWE-77] pattern. The endpoint also lacks authentication controls, which removes any barrier between an attacker and the vulnerable code path.
Attack Vector
The attack is network-based and requires no credentials or user interaction. An attacker submits an HTTP POST request to /goform/fast_setting_internet_set with a mac value containing shell metacharacters such as backticks, semicolons, or the $( ) construct. When the firmware processes the stored parameter in its command pipeline, the injected commands execute. Successful exploitation can be used to modify configuration, extract credentials, deploy persistent implants, or intercept LAN traffic. Full technical details are available in the Tenda AC18 Unauthenticated Second-Order OS Command Injection write-up.
Detection Methods for CVE-2026-38142
Indicators of Compromise
- HTTP POST requests to /goform/fast_setting_internet_set originating from unexpected LAN or WAN sources.
- Values in the mac parameter that contain shell metacharacters such as ;, |, `, $(, or &&.
- Unexpected outbound connections from the router to attacker-controlled infrastructure following configuration requests.
- New or modified processes on the router that were not part of the shipped firmware image.
Detection Strategies
- Inspect web server and firewall logs for requests to /goform/fast_setting_internet_set and flag payloads where mac does not match a valid MAC address format.
- Deploy network intrusion detection signatures that alert on router administrative endpoints being reached from untrusted network segments.
- Baseline normal router management traffic and alert on deviations, such as management endpoints receiving traffic from client subnets that never previously touched them.
Monitoring Recommendations
- Forward router syslog and administrative HTTP logs to a centralized logging platform for retention and correlation.
- Monitor DNS and NetFlow telemetry for the router's management IP to detect command-and-control beaconing that would indicate post-exploitation activity.
- Track firmware integrity by comparing running configuration and file hashes against a known-good baseline.
How to Mitigate CVE-2026-38142
Immediate Actions Required
- Restrict access to the router's web management interface to trusted management VLANs or hosts using ACLs.
- Disable remote WAN-side administration if it is enabled.
- Change default administrative credentials and audit for unauthorized configuration changes.
- Review router logs for prior requests to /goform/fast_setting_internet_set that contain non-MAC characters in the mac parameter.
Patch Information
No vendor patch has been published in the referenced advisory at the time of NVD publication on 2026-07-01. Administrators should monitor Tenda's product support channels for firmware updates addressing the fast_setting_internet_set handler and apply them as soon as they become available. Refer to the public vulnerability report for reproduction details.
Workarounds
- Place affected Tenda AC18 devices behind a network segment that blocks untrusted clients from reaching TCP ports serving the web UI.
- Replace end-of-support hardware with actively maintained models where a fixed firmware is not available.
- Disable the initial setup wizard endpoints after provisioning if the firmware exposes an option to do so.
- Consider replacing the stock firmware with a vetted third-party build on supported hardware where organizational policy permits.
# Example: restrict management access on an upstream firewall (iptables)
iptables -A FORWARD -p tcp -d <router_mgmt_ip> --dport 80 -s <trusted_admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_mgmt_ip> --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

