CVE-2026-24105
Published: 02 March 2026
Summary
CVE-2026-24105 is a critical-severity Code Injection (CWE-94) vulnerability in Tenda Ac15 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted inputs such as the 'v1' parameter before passing to doSystemCmd, preventing command injection.
Mandates identification, reporting, and correction of the specific command injection flaw through vendor patching.
Enables monitoring and filtering of network traffic at system boundaries to block or detect malicious requests exploiting the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated command injection in a public-facing router web interface (goform/formsetUsbUnload), enabling exploitation of public-facing application (T1190) and arbitrary command execution on a network device (T1059.008).
NVD Description
An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.18_multi. The value of `v1` was not checked, potentially leading to a command injection vulnerability if injected into doSystemCmd.
Deeper analysisAI
CVE-2026-24105 is a command injection vulnerability (CWE-94) discovered in the goform/formsetUsbUnload component of the Tenda AC15 V1.0 router running firmware version V15.03.05.18_multi. The flaw occurs because the value of the `v1` parameter is not properly validated before being passed to the doSystemCmd function, enabling potential arbitrary command execution. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. By crafting malicious requests to the affected endpoint, they can inject commands into doSystemCmd, potentially achieving high-impact confidentiality, integrity, and availability compromises, such as full device takeover, data exfiltration, or persistent access.
Mitigation details are referenced in the vendor advisory at https://www.tenda.com.cn/material/show/2710 and a report at https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24105.
Details
- CWE(s)