Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A command injection vulnerability exists in Tenda AC18 V15.03.05.05_multi. The vulnerability is located in the /goform/SetSambaCfg interface, where improper handling of the guestuser parameter allows attackers to execute arbitrary system commands.
AnalysisAI
Remote unauthenticated command injection in Tenda AC18 router firmware V15.03.05.05_multi allows complete device compromise via the SetSambaCfg interface. Attackers can execute arbitrary system commands by manipulating the guestuser parameter in HTTP requests to /goform/SetSambaCfg. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.06% (19th percentile) suggests low observed exploitation despite extreme technical severity. Publicly documented exploit proof-of-concept exists on GitHub.
Technical ContextAI
The vulnerability affects the Samba/SMB file sharing configuration interface in Tenda AC18 wireless router firmware. The /goform/SetSambaCfg endpoint processes configuration parameters for network file sharing but fails to sanitize the guestuser parameter before passing it to system command execution functions. This is a classic CWE-77 command injection flaw where user-controlled input is concatenated into shell commands without proper escaping or validation. The affected firmware version V15.03.05.05_multi runs on embedded Linux systems typical of consumer routers, where web interfaces execute commands with root privileges. Router management interfaces commonly process configuration parameters through CGI-like handlers that directly invoke system utilities, making command injection particularly dangerous since successful exploitation grants complete administrative control over the device.
RemediationAI
No vendor-released patch identified at time of analysis-Tenda has not published security advisories or firmware updates addressing CVE-2026-31255 according to available references. Until vendor patches become available, implement these compensating controls: (1) Disable remote management access to the router's web interface-restrict admin panel access to LAN-only connections by disabling WAN-side management in router settings under System Administration or Remote Management; this prevents internet-based exploitation but does not protect against LAN-based attackers. (2) Disable Samba/SMB file sharing functionality entirely if not required for network operations; this removes the vulnerable /goform/SetSambaCfg endpoint from the attack surface but eliminates file sharing capability. (3) Deploy network segmentation to isolate the router's management interface on a dedicated VLAN accessible only to authorized administrators; this reduces exposure but requires additional network infrastructure. (4) Monitor for replacement-consider migrating to alternative router hardware with active security support, as consumer router vendors including Tenda have poor track records for publishing timely security patches for end-of-life firmware. Reference: https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/Tenda_AC18/Tenda_AC18_3th/README.md contains technical details but no remediation guidance.
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev
Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication
Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic
In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via
Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV
Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se
Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate
Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /
In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25898