CVE-2022-46538
Description
Tenda F1203 V2.0.1.6 was discovered to contain a command injection vulnerability via the mac parameter at /goform/WriteFacMac.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda F1203 V2.0.1.6 contains a command injection vulnerability via the mac parameter at /goform/WriteFacMac, allowing unauthenticated RCE.
Vulnerability
Tenda F1203 router firmware version V2.0.1.6 (downloadable from the vendor site [1]) contains a command injection vulnerability in the /goform/WriteFacMac endpoint. The mac parameter is passed unsanitised to a system-level function, enabling injection of arbitrary OS commands [1]. No authentication is required to reach this endpoint.
Exploitation
An attacker can send an HTTP POST request to /goform/WriteFacMac with a crafted mac value containing shell metacharacters. For example, mac=00:01:02:11:22:33;echo%20hello executes the echo command after the MAC address [1]. No prior authentication or session is needed; the vulnerability is reachable from the local network.
Impact
Successful command injection allows an attacker to execute arbitrary operating system commands with the privileges of the web server process (typically root). This can lead to full device compromise, including information disclosure, file modification, or denial of service [1].
Mitigation
As of the publication date (2022-12-20), no official patch or fixed firmware version has been released by Tenda [1]. Users should consider replacing the device if security updates remain unavailable, or restrict network access to the management interface as a workaround.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Tenda/F1203description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.