CVE-2026-0581

MediumPublic PoC

Published: 05 January 2026

Published

05 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0132 80.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Tenda AC1206 15.03.06.23. Affected by this issue is the function formBehaviorManager of the file /goform/BehaviorManager of the component httpd. Executing a manipulation of the argument modulename/option/data/switch can lead to command injection. The attack can be…

launched remotely. The exploit has been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates command injection by validating and sanitizing user inputs such as modulename, option, data, and switch in the formBehaviorManager function.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through firmware patching to eliminate the specific command injection vulnerability in the Tenda AC1206 httpd component.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the httpd process to limit the impact of injected commands even if validation fails.

Security SummaryAI

CVE-2026-0581 is a command injection vulnerability affecting the Tenda AC1206 router running firmware version 15.03.06.23. The flaw resides in the formBehaviorManager function within the /goform/BehaviorManager file of the httpd component. An attacker can exploit it by manipulating the arguments modulename, option, data, or switch to inject and execute arbitrary commands.

The vulnerability enables remote exploitation over the network with low complexity and requires low privileges, such as those of an authenticated user (PR:L). Successful attacks can result in limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It maps to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection).

Advisories on VulDB (ctiid.339473, id.339473, submit.731193) and a GitHub repository document the issue, including a publicly disclosed proof-of-concept exploit. The vendor's site at tenda.com.cn is referenced, but no specific patches or mitigation steps are detailed in the available information.

Details

CWE(s): CWE-74 CWE-77

Affected Products

tenda

ac1206 firmware

15.03.06.23

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection vulnerability in public-facing router web interface enables exploitation of public-facing application (T1190) and arbitrary command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/ccc-iotsec/cve-/blob/Tenda/Tenda%20AC1206%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.339473
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.339473
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.731193
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com