Skip to main content

Tenda AC18 CVE-2026-31255

| EUVDEUVD-2026-25898 CRITICAL
Command Injection (CWE-77)
2026-04-27 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 28, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 14:53 vuln.today
CVSS changed
Apr 28, 2026 - 14:52 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 27, 2026 - 19:00 euvd
EUVD-2026-25898
Analysis Generated
Apr 27, 2026 - 19:00 vuln.today
CVE Published
Apr 27, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

A command injection vulnerability exists in Tenda AC18 V15.03.05.05_multi. The vulnerability is located in the /goform/SetSambaCfg interface, where improper handling of the guestuser parameter allows attackers to execute arbitrary system commands.

AnalysisAI

Remote unauthenticated command injection in Tenda AC18 router firmware V15.03.05.05_multi allows complete device compromise via the SetSambaCfg interface. Attackers can execute arbitrary system commands by manipulating the guestuser parameter in HTTP requests to /goform/SetSambaCfg. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.06% (19th percentile) suggests low observed exploitation despite extreme technical severity. Publicly documented exploit proof-of-concept exists on GitHub.

Technical ContextAI

The vulnerability affects the Samba/SMB file sharing configuration interface in Tenda AC18 wireless router firmware. The /goform/SetSambaCfg endpoint processes configuration parameters for network file sharing but fails to sanitize the guestuser parameter before passing it to system command execution functions. This is a classic CWE-77 command injection flaw where user-controlled input is concatenated into shell commands without proper escaping or validation. The affected firmware version V15.03.05.05_multi runs on embedded Linux systems typical of consumer routers, where web interfaces execute commands with root privileges. Router management interfaces commonly process configuration parameters through CGI-like handlers that directly invoke system utilities, making command injection particularly dangerous since successful exploitation grants complete administrative control over the device.

RemediationAI

No vendor-released patch identified at time of analysis-Tenda has not published security advisories or firmware updates addressing CVE-2026-31255 according to available references. Until vendor patches become available, implement these compensating controls: (1) Disable remote management access to the router's web interface-restrict admin panel access to LAN-only connections by disabling WAN-side management in router settings under System Administration or Remote Management; this prevents internet-based exploitation but does not protect against LAN-based attackers. (2) Disable Samba/SMB file sharing functionality entirely if not required for network operations; this removes the vulnerable /goform/SetSambaCfg endpoint from the attack surface but eliminates file sharing capability. (3) Deploy network segmentation to isolate the router's management interface on a dedicated VLAN accessible only to authorized administrators; this reduces exposure but requires additional network infrastructure. (4) Monitor for replacement-consider migrating to alternative router hardware with active security support, as consumer router vendors including Tenda have poor track records for publishing timely security patches for end-of-life firmware. Reference: https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/Tenda_AC18/Tenda_AC18_3th/README.md contains technical details but no remediation guidance.

More in Tenda

View all
CVE-2022-30023 HIGH POC
8.8 Jun 16

Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev

CVE-2015-5995 CRITICAL POC
9.8 Dec 31

Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke

CVE-2014-5246 CRITICAL POC
10.0 Aug 22

The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication

CVE-2025-45042 CRITICAL POC
9.8 May 05

Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic

CVE-2025-29384 CRITICAL POC
9.8 Mar 14

In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability

CVE-2025-44877 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via

CVE-2025-44872 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via

CVE-2022-32386 CRITICAL POC
9.8 Jul 06

Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV

CVE-2025-25632 CRITICAL POC
9.8 Mar 05

Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se

CVE-2023-51972 CRITICAL POC
9.8 Jan 10

Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate

CVE-2023-51812 CRITICAL POC
9.8 Jan 04

Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /

CVE-2025-45429 CRITICAL POC
9.8 Apr 23

In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp

Share

CVE-2026-31255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy