CVE-2026-5153
Published: 30 March 2026
Summary
CVE-2026-5153 is a medium-severity Injection (CWE-74) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of inputs like the 'mac' argument in /goform/WriteFacMac to neutralize special elements and prevent command injection.
Mandates identification, reporting, and correction of known flaws such as this command injection vulnerability through timely patching of the Tenda CH22 firmware.
Vulnerability scanning identifies command injection flaws like CVE-2026-5153 in the FormWriteFacMac function during periodic assessments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote command injection via public-facing web interface (T1190) on network device firmware, facilitating arbitrary command execution akin to Network Device CLI abuse (T1059.008).
NVD Description
A flaw has been found in Tenda CH22 1.0.0.1. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. Executing a manipulation of the argument mac can lead to command injection. The attack may be launched remotely. The exploit…
more
has been published and may be used.
Deeper analysisAI
CVE-2026-5153 is a command injection vulnerability affecting Tenda CH22 firmware version 1.0.0.1. The flaw exists in the FormWriteFacMac function of the /goform/WriteFacMac file, where manipulation of the mac argument enables arbitrary command execution. Published on 2026-03-30, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection).
The vulnerability is exploitable remotely by attackers possessing low privileges, requiring no user interaction. Successful exploitation grants limited access to execute commands, potentially compromising confidentiality, integrity, and availability to a low degree on the affected device.
Advisories referenced in VulDB (vuln/354185 and related pages) detail the issue and submission process, while a GitHub repository at Litengzheng/vuldb_new provides a published exploit for CH22 vul_60. The Tenda website is listed among references, though specific patch or mitigation guidance is not detailed in available sources.
Details
- CWE(s)