Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in Tenda F456 1.0.0.5. This impacts the function FromWriteFacMac of the file /goform/WriteFacMac of the component httpd. The manipulation of the argument mac results in command injection. The attack can be executed remotely. The exploit has been made public and could be used.
AnalysisAI
Command injection in Tenda F456 1.0.0.5 httpd allows authenticated remote attackers to execute arbitrary commands via the mac parameter in the /goform/WriteFacMac endpoint. The vulnerability has a publicly available exploit and CVSS 5.3 score with authenticated access requirement (PR:L), limiting immediate widespread risk but affecting exposed or compromised administrative accounts.
Technical ContextAI
The Tenda F456 is a residential router with an embedded HTTP daemon (httpd) handling administrative requests. The vulnerable function FromWriteFacMac processes input from the /goform/WriteFacMac endpoint without proper sanitization of the mac parameter, leading to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The mac parameter is likely passed unsanitized to a shell command or system() call, permitting command injection through shell metacharacters. This affects the router's management interface accessible via its web console.
RemediationAI
Vendor patch availability and version information are not documented in the provided references. Immediate workarounds include: (1) Restrict access to the /goform/WriteFacMac endpoint via firewall rules blocking HTTP/HTTPS to the router's management interface from untrusted networks, permitting access only from trusted administrative machines; (2) Change default administrative credentials to strong, unique passwords; (3) Disable remote management features in the router's settings if they are not required; (4) Isolate the router on a dedicated VLAN with strict access controls. Contact Tenda support via https://www.tenda.com.cn/ to obtain patched firmware versions for Tenda F456. Test any firmware updates in a non-production environment before deployment. If a patched version becomes available, apply it immediately and reset administrative credentials post-patch.
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev
Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication
Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic
In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via
Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV
Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se
Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate
Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /
In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25802