CVE-2026-5547
Published: 05 April 2026
Description
A vulnerability has been found in Tenda AC10 16.03.10.10_multi_TDE01. Affected is the function formAddMacfilterRule of the file /bin/httpd. Such manipulation leads to os command injection. It is possible to launch the attack remotely. Multiple endpoints might be affected.
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by validating and sanitizing user inputs to the formAddMacfilterRule function before processing.
SI-2 remediates the specific command injection flaw in Tenda AC10 firmware by identifying, patching, and deploying fixes.
SI-9 restricts inputs at system boundaries to valid MAC filter rule formats, blocking injection payloads in the vulnerable httpd endpoint.
Security SummaryAI
CVE-2026-5547 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the formAddMacfilterRule function in the /bin/httpd component of Tenda AC10 firmware version 16.03.10.10_multi_TDE01. Published on 2026-04-05, it has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The flaw allows remote manipulation and may impact multiple endpoints.
A low-privileged remote attacker (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables OS command injection, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged scope (S:U).
Advisories and detailed findings are documented in referenced sources, including a GitHub repository detailing the command injection in formAddMacfilterRule, VulDB entries (vuln/355311 and related CTI), and the Tenda website. No specific patch or mitigation details are outlined in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in router web interface enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).