CVE-2026-0581

MediumPublic PoC

Published: 05 January 2026

Published

05 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0132 80.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0581 is a medium-severity Injection (CWE-74) vulnerability in Tenda Ac1206 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates command injection by validating and sanitizing user inputs such as modulename, option, data, and switch in the formBehaviorManager function.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through firmware patching to eliminate the specific command injection vulnerability in the Tenda AC1206 httpd component.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the httpd process to limit the impact of injected commands even if validation fails.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection vulnerability in public-facing router web interface enables exploitation of public-facing application (T1190) and arbitrary command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was determined in Tenda AC1206 15.03.06.23. Affected by this issue is the function formBehaviorManager of the file /goform/BehaviorManager of the component httpd. Executing a manipulation of the argument modulename/option/data/switch can lead to command injection. The attack can be…

launched remotely. The exploit has been publicly disclosed and may be utilized.

Deeper analysisAI

CVE-2026-0581 is a command injection vulnerability affecting the Tenda AC1206 router running firmware version 15.03.06.23. The flaw resides in the formBehaviorManager function within the /goform/BehaviorManager file of the httpd component. An attacker can exploit it by manipulating the arguments modulename, option, data, or switch to inject and execute arbitrary commands.

The vulnerability enables remote exploitation over the network with low complexity and requires low privileges, such as those of an authenticated user (PR:L). Successful attacks can result in limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It maps to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection).

Advisories on VulDB (ctiid.339473, id.339473, submit.731193) and a GitHub repository document the issue, including a publicly disclosed proof-of-concept exploit. The vendor's site at tenda.com.cn is referenced, but no specific patches or mitigation steps are detailed in the available information.

Details

CWE(s): CWE-74 CWE-77

Affected Products

tenda

ac1206 firmware

15.03.06.23

CVEs Like This One

CVE-2025-7544Same product: Tenda Ac1206

CVE-2025-10432Same product: Tenda Ac1206

CVE-2025-9523Same product: Tenda Ac1206

CVE-2026-1638Same vendor: Tenda

CVE-2026-1689Same vendor: Tenda

CVE-2026-6989Same vendor: Tenda

CVE-2026-5153Same vendor: Tenda

CVE-2025-7415Same vendor: Tenda

CVE-2025-9090Same vendor: Tenda

CVE-2025-25632Same vendor: Tenda

References

https://github.com/ccc-iotsec/cve-/blob/Tenda/Tenda%20AC1206%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.339473
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.339473
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.731193
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com