CVE-2026-11556
HighCVSS 8.8Summary
A security flaw has been discovered in Tenda F451 versions 1.0.0.7 and 1.0.0.9 in the function formWriteFacMac. Manipulating the mac argument in the file /goform/WriteFacMac leads to OS command injection.
Risk Assessment
Remote exploitation of this vulnerability could lead to device takeover, posing a serious threat to the organization's network security.
Recommendation
It is recommended to update the device firmware to the latest version to mitigate the risks associated with this vulnerability.
Original NVD description (English source)
A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

