CVE Catalog

CVE-2026-38142

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.69%

48th percentile — higher than 48% of all known CVEs

Summary

An unauthenticated command injection vulnerability exists in the /goform/fast_setting_internet_set endpoint of Tenda AC18 firmware version 15.03.05.05. An attacker can send a crafted request with a malicious payload in the mac parameter to execute arbitrary system commands.

Risk Assessment

An attacker can remotely take full control of the router without authentication, leading to complete device compromise, network traffic interception, or use as an entry point into the organization's internal network.

Recommendation

Immediately update the Tenda AC18 router firmware to the latest available version if a patch has been released. In the meantime, restrict management interface access to trusted IP addresses and deploy a firewall to block unauthorized requests to the vulnerable endpoint.

Original NVD description (English source)

An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS