Cyber Resilience

CVE-2018-14558

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 30 October 2018

Published
30 October 2018
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7832 99.0th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-14558 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac7 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2018-14558 is an OS command injection vulnerability (CWE-78) affecting Tenda AC7 routers running firmware up to V15.03.06.44_CN, AC9 routers up to V15.03.05.19(6318)_CN, and AC10 routers up to V15.03.06.23_CN. The flaw resides in the formsetUsbUnload function, which passes unsanitized input from a goform/setUsbUnload request directly to a dosystemCmd call, allowing arbitrary operating-system command execution.

Unauthenticated attackers with network access can exploit the issue by sending a crafted HTTP request to the affected endpoint. Successful exploitation grants full control over the device, enabling arbitrary command execution with the privileges of the web server process and resulting in complete confidentiality, integrity, and availability impacts as reflected in the CVSS 9.8 base score.

The vulnerability is catalogued in CISA's Known Exploited Vulnerabilities list, confirming real-world exploitation. Public technical write-ups, including detailed proof-of-concept material on GitHub, document the request format and affected endpoints, underscoring the need for immediate firmware updates or network-level restrictions on administrative interfaces where patches are unavailable.

EU & UK References

Vulnerability details

An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload…

more

request. This occurs because the "formsetUsbUnload" function executes a dosystemCmd function with untrusted input.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
ac7 firmware
≤ 15.03.06.44_cn
tenda
ac9 firmware
≤ 15.03.05.19\(6318\)_cn
tenda
ac10 firmware
≤ 15.03.06.23_cn

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of untrusted input to the formsetUsbUnload function before it reaches dosystemCmd, directly blocking the command-injection payload.

prevent

Boundary-protection mechanisms can deny or restrict network access to the vulnerable goform/setUsbUnload endpoint from untrusted sources.

prevent

Mandates timely application of firmware patches that eliminate the unsanitized dosystemCmd call in the affected Tenda web interface.

References