CVE-2026-7102

MediumPublic PoC

Published: 27 April 2026

Published

27 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0084 74.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Tenda F456 1.0.0.5. This impacts the function FromWriteFacMac of the file /goform/WriteFacMac of the component httpd. The manipulation of the argument mac results in command injection. The attack can be executed remotely. The exploit has…

been made public and could be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents command injection by requiring validation of the 'mac' argument in the FromWriteFacMac function to ensure only valid inputs are processed.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification and remediation of flaws like this command injection vulnerability through firmware patching.

AC-6 Least Privilege partial match

prevent

AC-6 limits the impact of successful command injection by enforcing least privilege on the httpd process handling the vulnerable endpoint.

Security SummaryAI

CVE-2026-7102 is a command injection vulnerability affecting the Tenda F456 router on firmware version 1.0.0.5. The issue resides in the FromWriteFacMac function within the /goform/WriteFacMac file of the httpd component, where manipulation of the mac argument enables command injection.

The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 and CWE-77. It can be exploited remotely by attackers possessing low privileges, with low attack complexity and no user interaction required. Exploitation allows arbitrary command execution, resulting in low impacts to confidentiality, integrity, and availability.

Advisories detail the issue on VulDB, including submission, vulnerability, and CTI pages. An exploit is publicly available in a GitHub repository. The vendor site is at https://www.tenda.com.cn/. The exploit has been made public and could be used.

Details

CWE(s): CWE-74 CWE-77

Affected Products

tenda

f456 firmware

1.0.0.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection in router's public-facing web interface (httpd /goform) enables exploitation of public-facing application (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_140/README.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/798475
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359677
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359677/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com