CVE-2020-10987
Published: 13 July 2020
Summary
CVE-2020-10987 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is an OS command injection flaw (CWE-78) in the goform/setUsbUnload endpoint of Tenda AC15 AC1900 routers running firmware version 15.03.05.19. Untrusted input supplied through the deviceName POST parameter is passed directly to system commands without sanitization, enabling arbitrary command execution on the device.
Unauthenticated remote attackers can exploit the issue over the network by sending a crafted HTTP POST request to the affected endpoint. Successful exploitation grants full control of the device, allowing arbitrary code execution with impacts to confidentiality, integrity, and availability.
The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed exploitation in the wild. Public research from Independent Security Evaluators details the discovery and provides working exploitation details for the Tenda AC1900 platform.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-3386
Vulnerability details
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the deviceName POST parameter before it is passed to system commands, blocking the CWE-78 injection.
Enforces authentication and authorization checks on the goform/setUsbUnload endpoint so unauthenticated remote attackers cannot reach the vulnerable handler.
Restricts network exposure of the router's management interface, limiting the attack surface for remote HTTP POST requests that trigger the command injection.