CVE-2026-24101
Published: 02 March 2026
Summary
CVE-2026-24101 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted inputs like s1_1 prior to concatenation into system commands, preventing command injection exploits.
Mandates timely identification, reporting, and patching of the specific command injection flaw in the Tenda firmware.
Enforces identification and authentication for non-organizational users accessing the goform/formSetIptv endpoint, blocking unauthenticated remote attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection in public-facing web component (goform) enables exploitation of public-facing application (T1190), remote services (T1210), and Unix shell execution (T1059.004).
NVD Description
An issue was discovered in goform/formSetIptv in Tenda AC15V1.0 V15.03.05.18_multi. When the condition is met, `s1_1` will be passed into sub_B0488, concatenated into `doSystemCmd`. The value of s1_1 is not validated, potentially leading to a command injection vulnerability.
Deeper analysisAI
CVE-2026-24101 is a command injection vulnerability (CWE-78) discovered in the goform/formSetIptv component of Tenda AC15 V1.0 firmware version V15.03.05.18_multi. The issue arises when a specific condition is met, allowing the unvalidated parameter s1_1 to be passed into the sub_B0488 function and concatenated into the doSystemCmd function, enabling arbitrary command execution.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, requiring no authentication, privileges, or user interaction. An unauthenticated attacker can inject and execute arbitrary commands on the affected device, potentially compromising confidentiality, integrity, and availability to a high degree.
Mitigation details are available in vendor-provided resources, including Tenda's official material at https://www.tenda.com.cn/material/show/2710. Additional technical analysis and reporting can be found in the GitHub repository at https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24101.
Details
- CWE(s)