Cyber Resilience

CVE-2026-24101

CriticalPublic PoCRCE

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0167 73.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24101 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24101 is a command injection vulnerability (CWE-78) discovered in the goform/formSetIptv component of Tenda AC15 V1.0 firmware version V15.03.05.18_multi. The issue arises when a specific condition is met, allowing the unvalidated parameter s1_1 to be passed into the sub_B0488 function and concatenated into the doSystemCmd function, enabling arbitrary command execution.

The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, requiring no authentication, privileges, or user interaction. An unauthenticated attacker can inject and execute arbitrary commands on the affected device, potentially compromising confidentiality, integrity, and availability to a high degree.

Mitigation details are available in vendor-provided resources, including Tenda's official material at https://www.tenda.com.cn/material/show/2710. Additional technical analysis and reporting can be found in the GitHub repository at https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24101.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in goform/formSetIptv in Tenda AC15V1.0 V15.03.05.18_multi. When the condition is met, `s1_1` will be passed into sub_B0488, concatenated into `doSystemCmd`. The value of s1_1 is not validated, potentially leading to a command injection vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote command injection in public-facing web component (goform) enables exploitation of public-facing application (T1190), remote services (T1210), and Unix shell execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5830Same product: Tenda Ac15
CVE-2026-24103Same product: Tenda Ac15
CVE-2025-11386Same product: Tenda Ac15
CVE-2025-11388Same product: Tenda Ac15
CVE-2025-11389Same product: Tenda Ac15
CVE-2026-3400Same product: Tenda Ac15
CVE-2025-11387Same product: Tenda Ac15
CVE-2025-0566Same product: Tenda Ac15
CVE-2025-25632Same product: Tenda Ac15
CVE-2026-4975Same product: Tenda Ac15

Affected Assets

tenda
ac15 firmware
15.03.05.18_multi

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like s1_1 prior to concatenation into system commands, preventing command injection exploits.

prevent

Mandates timely identification, reporting, and patching of the specific command injection flaw in the Tenda firmware.

prevent

Enforces identification and authentication for non-organizational users accessing the goform/formSetIptv endpoint, blocking unauthenticated remote attacks.

References