CVE-2026-4554
Published: 22 March 2026
Summary
CVE-2026-4554 is a medium-severity Injection (CWE-74) vulnerability in Tenda F453 Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A security flaw has been discovered in Tenda F453 version 1.0.0.3. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
An attacker with low privileges can send a crafted request to the web interface over the network to execute arbitrary commands on the device. The vulnerability is tracked under CWE-74, CWE-77, and CWE-78, and carries a CVSS 4.0 score of 5.3 reflecting limited impact combined with network accessibility and low attack complexity.
The EPSS score rose from a low baseline to a peak of 0.0341 on 2026-03-26 shortly after disclosure before receding to 0.0023, indicating a temporary increase in exploitation interest. Public references include a detailed proof-of-concept on GitHub along with entries on VulDB, but no vendor advisory or patch information is provided in the available sources.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14327
Vulnerability details
A security flaw has been discovered in Tenda F453 1.0.0.3. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The…
more
exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in router firmware web interface enables exploitation of public-facing application (T1190) and arbitrary OS command execution via Unix Shell (T1059.004) or Network Device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring validation of the 'mac' argument to neutralize special elements in the FormWriteFacMac function.
Addresses the root cause by identifying, prioritizing, and remediating the specific command injection flaw in Tenda F453 firmware version 1.0.0.3.
Monitors system activity to detect indicators of command injection exploitation, such as anomalous command executions from low-privileged remote access.