CVE-2018-14558
Published: 30 October 2018
Summary
CVE-2018-14558 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2018-14558 is an OS command injection vulnerability (CWE-78) affecting Tenda AC7 routers running firmware up to V15.03.06.44_CN, AC9 routers up to V15.03.05.19(6318)_CN, and AC10 routers up to V15.03.06.23_CN. The flaw resides in the formsetUsbUnload function, which passes unsanitized input from a goform/setUsbUnload request directly to a dosystemCmd call, allowing arbitrary operating-system command execution.
Unauthenticated attackers with network access can exploit the issue by sending a crafted HTTP request to the affected endpoint. Successful exploitation grants full control over the device, enabling arbitrary command execution with the privileges of the web server process and resulting in complete confidentiality, integrity, and availability impacts as reflected in the CVSS 9.8 base score.
The vulnerability is catalogued in CISA's Known Exploited Vulnerabilities list, confirming real-world exploitation. Public technical write-ups, including detailed proof-of-concept material on GitHub, document the request format and affected endpoints, underscoring the need for immediate firmware updates or network-level restrictions on administrative interfaces where patches are unavailable.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-6467
Vulnerability details
An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload…
more
request. This occurs because the "formsetUsbUnload" function executes a dosystemCmd function with untrusted input.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of untrusted input to the formsetUsbUnload function before it reaches dosystemCmd, directly blocking the command-injection payload.
Boundary-protection mechanisms can deny or restrict network access to the vulnerable goform/setUsbUnload endpoint from untrusted sources.
Mandates timely application of firmware patches that eliminate the unsanitized dosystemCmd call in the affected Tenda web interface.