CVE-2026-5547 Overview
A command injection vulnerability has been discovered in the Tenda AC10 router firmware version 16.03.10.10_multi_TDE01. The vulnerability exists within the formAddMacfilterRule function located in the /bin/httpd file. Attackers can exploit this flaw to inject and execute arbitrary operating system commands on the affected device. The vulnerability is remotely exploitable, and multiple endpoints may be affected.
Critical Impact
Remote attackers with low privileges can execute arbitrary OS commands on the router, potentially leading to complete device compromise, network infiltration, and persistent backdoor access.
Affected Products
- Tenda AC10 firmware version 16.03.10.10_multi_TDE01
- Tenda AC10 routers running vulnerable /bin/httpd service
- Multiple endpoints utilizing the formAddMacfilterRule function
Discovery Timeline
- April 5, 2026 - CVE-2026-5547 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5547
Vulnerability Analysis
This vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command). The formAddMacfilterRule function in the Tenda AC10 router's web server (/bin/httpd) fails to properly sanitize user-supplied input before passing it to system command execution functions. This allows an authenticated remote attacker to inject malicious commands that are executed with the privileges of the web server process.
The attack can be launched remotely over the network without requiring user interaction. An attacker with low-level access to the router's web interface can craft malicious requests targeting the vulnerable function. Multiple endpoints may expose this functionality, increasing the attack surface.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and sanitization within the formAddMacfilterRule function. When processing MAC filter rule parameters, the function constructs system commands using user-controllable input without proper escaping or validation. This allows special characters and command separators (such as ;, |, or $()) to break out of the intended command context and execute attacker-supplied commands.
Attack Vector
The attack is network-based, requiring the attacker to have network access to the router's web management interface. With low privileges (authenticated access to the web interface), an attacker can send specially crafted HTTP requests to the /bin/httpd service targeting the formAddMacfilterRule endpoint.
The malicious payload would typically be embedded within parameters expected by the MAC filter rule functionality. When the vulnerable function processes these parameters and constructs a system command, the injected payload executes with the privileges of the httpd process—typically root on embedded devices like routers.
This could allow attackers to:
- Execute arbitrary commands on the router
- Modify router configuration
- Establish persistent backdoor access
- Pivot to attack other devices on the network
- Intercept or manipulate network traffic
For detailed technical analysis and proof-of-concept information, refer to the GitHub Command Injection Findings.
Detection Methods for CVE-2026-5547
Indicators of Compromise
- Unusual outbound connections from the router to external IP addresses
- Modified configuration files or unexpected cron jobs on the device
- Suspicious HTTP requests to /bin/httpd containing shell metacharacters (;, |, &&, $())
- Unexpected processes running on the router device
- Network traffic anomalies indicating command and control communications
Detection Strategies
- Monitor HTTP request logs for requests targeting MAC filter endpoints with suspicious characters
- Implement network intrusion detection rules to identify command injection payloads in HTTP traffic
- Deploy web application firewall (WAF) rules to block requests containing shell metacharacters
- Enable logging on the router if available and monitor for command execution anomalies
Monitoring Recommendations
- Implement network segmentation to isolate router management interfaces from untrusted networks
- Configure SIEM alerts for unusual HTTP request patterns targeting router administration endpoints
- Monitor for firmware modifications or unexpected device reboots
- Track authentication attempts and session activity on the router's web interface
How to Mitigate CVE-2026-5547
Immediate Actions Required
- Restrict access to the router's web management interface to trusted IP addresses only
- Disable remote management features if not required
- Implement strong authentication credentials for the router's administrative interface
- Place the router behind a firewall that blocks unauthorized access to management ports
- Monitor for and apply firmware updates from Tenda when available
Patch Information
No official patch information is currently available from Tenda. Users should monitor the Tenda Official Website for firmware updates addressing this vulnerability. Additionally, check the VulDB Vulnerability #355311 for the latest status updates.
Workarounds
- Disable the web management interface entirely if not needed for operations
- Implement network-level access controls (ACLs) to restrict access to the router's web interface to management VLANs only
- Use a VPN to access router administration remotely instead of exposing the interface directly
- Consider replacing vulnerable devices with alternatives that receive regular security updates
- Deploy a reverse proxy with WAF capabilities in front of the management interface to filter malicious requests
# Example: Restrict router management access via iptables on an upstream firewall
# Block external access to router management port (adjust IP and port as needed)
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 443 -j DROP
# Allow management access only from trusted admin workstation
iptables -I FORWARD -s 192.168.1.100 -d 192.168.1.1 -p tcp --dport 80 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
