CVE-2026-24107

CriticalPublic PoC

Published: 02 March 2026

Published

02 March 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the value of `usbPartitionName`, which is directly used in `doSystemCmd`, may lead to critical command injection vulnerabilities.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation mechanisms for untrusted inputs like usbPartitionName before passing to doSystemCmd.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability through timely identification, reporting, and correction of the input validation flaw via firmware patching.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Detects the command injection vulnerability in router firmware through regular vulnerability scanning.

Security SummaryAI

CVE-2026-24107 is a critical command injection vulnerability (CWE-94) discovered in the Tenda W20E router running firmware version V4.0br_V15.11.0.6, published on 2026-03-02. The issue arises from a failure to validate the `usbPartitionName` parameter, which is directly passed to the `doSystemCmd` function, allowing attackers to inject and execute arbitrary commands on the device. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete compromise.

The vulnerability can be exploited by unauthenticated remote attackers over the network with low attack complexity and no requirement for user interaction. Exploitation enables high-impact disruption to confidentiality, integrity, and availability, such as executing arbitrary code, escalating privileges, or fully controlling the affected router.

Advisories and mitigation guidance are referenced in Tenda's official material at https://www.tenda.com.cn/material/show/2707 and a GitHub CVE report at https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24107.

Details

CWE(s): CWE-94

Affected Products

tenda

w20e firmware

15.11.0.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Unauthenticated remote command injection in public-facing router firmware directly enables T1190 (Exploit Public-Facing Application) for initial access and facilitates T1059.008 (Network Device CLI) via arbitrary command execution through doSystemCmd.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24107
Exploit, Third Party Advisory · cve@mitre.org
https://www.tenda.com.cn/material/show/2707
Product · cve@mitre.org