Cyber Resilience

CVE-2026-4554

MediumPublic PoC

Published: 22 March 2026

Published
22 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0341 87.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4554 is a medium-severity Injection (CWE-74) vulnerability in Tenda F453 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A security flaw has been discovered in Tenda F453 version 1.0.0.3. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

An attacker with low privileges can send a crafted request to the web interface over the network to execute arbitrary commands on the device. The vulnerability is tracked under CWE-74, CWE-77, and CWE-78, and carries a CVSS 4.0 score of 5.3 reflecting limited impact combined with network accessibility and low attack complexity.

The EPSS score rose from a low baseline to a peak of 0.0341 on 2026-03-26 shortly after disclosure before receding to 0.0023, indicating a temporary increase in exploitation interest. Public references include a detailed proof-of-concept on GitHub along with entries on VulDB, but no vendor advisory or patch information is provided in the available sources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Tenda F453 1.0.0.3. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The…

more

exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection in router firmware web interface enables exploitation of public-facing application (T1190) and arbitrary OS command execution via Unix Shell (T1059.004) or Network Device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6989Same product: Tenda F453
CVE-2026-3732Same product: Tenda F453
CVE-2026-3768Same product: Tenda F453
CVE-2026-5021Same product: Tenda F453
CVE-2026-3272Same product: Tenda F453
CVE-2026-4551Same product: Tenda F453
CVE-2026-3167Same product: Tenda F453
CVE-2026-3399Same product: Tenda F453
CVE-2026-4552Same product: Tenda F453
CVE-2026-3379Same product: Tenda F453

Affected Assets

tenda
f453 firmware
1.0.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation of the 'mac' argument to neutralize special elements in the FormWriteFacMac function.

prevent

Addresses the root cause by identifying, prioritizing, and remediating the specific command injection flaw in Tenda F453 firmware version 1.0.0.3.

detect

Monitors system activity to detect indicators of command injection exploitation, such as anomalous command executions from low-privileged remote access.

References