Cyber Resilience

CVE-2020-10987

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 13 July 2020

Published
13 July 2020
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9368 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-10987 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is an OS command injection flaw (CWE-78) in the goform/setUsbUnload endpoint of Tenda AC15 AC1900 routers running firmware version 15.03.05.19. Untrusted input supplied through the deviceName POST parameter is passed directly to system commands without sanitization, enabling arbitrary command execution on the device.

Unauthenticated remote attackers can exploit the issue over the network by sending a crafted HTTP POST request to the affected endpoint. Successful exploitation grants full control of the device, allowing arbitrary code execution with impacts to confidentiality, integrity, and availability.

The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed exploitation in the wild. Public research from Independent Security Evaluators details the discovery and provides working exploitation details for the Tenda AC1900 platform.

EU & UK References

Vulnerability details

The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
ac15 firmware
15.03.05.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the deviceName POST parameter before it is passed to system commands, blocking the CWE-78 injection.

prevent

Enforces authentication and authorization checks on the goform/setUsbUnload endpoint so unauthenticated remote attackers cannot reach the vulnerable handler.

prevent

Restricts network exposure of the router's management interface, limiting the attack surface for remote HTTP POST requests that trigger the command injection.

References