CVE-2026-11556
Description
Tenda F451 routers are vulnerable to OS command injection via the Web Management Interface, allowing remote attackers to achieve root-level RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda F451 routers are vulnerable to OS command injection via the Web Management Interface, allowing remote attackers to achieve root-level RCE.
Vulnerability
A security flaw exists in the Tenda F451 Wireless Router, specifically in firmware versions V1.0.0.7 and V1.0.0.9. The vulnerability resides within the formWriteFacMac function in the /goform/WriteFacMac endpoint of the Web Management Interface. This function is responsible for updating the device's factory MAC address and directly incorporates user-supplied input from the mac parameter into a system command without proper sanitization or validation [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP POST request to the /goform/WriteFacMac endpoint. The request must contain shell metacharacters within the mac parameter, such as ;ls, which will be appended to the intended cfm mac command. This allows the attacker to inject and execute arbitrary operating system commands [1].
Impact
Successful exploitation of this vulnerability grants the attacker Remote Code Execution (RCE) with root privileges on the affected Tenda F451 router. This level of access allows for a full system compromise, enabling the attacker to control the device and potentially use it as a pivot point for further network attacks [1].
Mitigation
Fixed firmware versions are not yet disclosed in the available references. Tenda's official website provides general product information but does not list specific security advisories or patches for this vulnerability [2]. Users are advised to monitor Tenda's support channels for potential updates. There is no information regarding workarounds or end-of-life status for the affected versions.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The formWriteFacMac function directly concatenates user-controlled input from the 'mac' parameter into a system command without proper sanitization."
Attack vector
An attacker can exploit this vulnerability by sending a POST request to the /goform/WriteFacMac endpoint. The request must contain a 'mac' parameter with shell metacharacters appended to a valid MAC address format. This manipulation allows arbitrary commands to be executed on the system with root privileges, as demonstrated by the inclusion of ";ls" in the PoC [ref_id=1]. The vulnerability is remotely exploitable and requires no authentication.
Affected code
The vulnerability resides in the formWriteFacMac function within the /goform/WriteFacMac endpoint. Specifically, the issue arises from the direct use of the 'mac' parameter in the doSystemCmd function call, which executes `cfm mac %s` with the user-supplied input [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory recommends updating to a fixed version when available. Until a patch is released, users should be aware of the vulnerability and take appropriate network security measures.
Preconditions
- networkThe target device must be accessible over the network.
- inputThe attacker must be able to send a POST request to the /goform/WriteFacMac endpoint with a manipulated 'mac' parameter.
Reproduction
```python import requests
host = "192.168.0.1:80"
def exploit_WriteFacMac(): url = f"http://{host}/goform/WriteFacMac" data = { b'mac':b';ls' } res = requests.post(url=url,data=data) print(res.content)
exploit_WriteFacMac() ```
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Tenda Routers: 13 Stack Overflow and Command Injection Vulnerabilities DisclosedVypr Intelligence · Jun 8, 2026