CVE-2026-24105

CriticalPublic PoC

Published: 02 March 2026

Published

02 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0187 83.2th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.18_multi. The value of `v1` was not checked, potentially leading to a command injection vulnerability if injected into doSystemCmd.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of untrusted inputs such as the 'v1' parameter before passing to doSystemCmd, preventing command injection.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific command injection flaw through vendor patching.

SC-7 Boundary Protection partial match

preventdetect

Enables monitoring and filtering of network traffic at system boundaries to block or detect malicious requests exploiting the vulnerable endpoint.

Security SummaryAI

CVE-2026-24105 is a command injection vulnerability (CWE-94) discovered in the goform/formsetUsbUnload component of the Tenda AC15 V1.0 router running firmware version V15.03.05.18_multi. The flaw occurs because the value of the `v1` parameter is not properly validated before being passed to the doSystemCmd function, enabling potential arbitrary command execution. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. By crafting malicious requests to the affected endpoint, they can inject commands into doSystemCmd, potentially achieving high-impact confidentiality, integrity, and availability compromises, such as full device takeover, data exfiltration, or persistent access.

Mitigation details are referenced in the vendor advisory at https://www.tenda.com.cn/material/show/2710 and a report at https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24105.

Details

CWE(s): CWE-94

Affected Products

tenda

ac15 firmware

15.03.05.18

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated command injection in a public-facing router web interface (goform/formsetUsbUnload), enabling exploitation of public-facing application (T1190) and arbitrary command execution on a network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24105
Exploit, Third Party Advisory · cve@mitre.org
https://www.tenda.com.cn/material/show/2710
Release Notes · cve@mitre.org