Primary

Context

Tenda AC1206 Command Injection Vulnerability

Vulnerability

A command injection vulnerability exists in the Tenda AC1206 router running firmware version 15.03.06.23. The issue arises in the HTTP component, specifically within the 'formBehaviorManager' function of the '/goform/BehaviorManager' file. The vulnerability allows remote attackers to inject commands by manipulating the 'modulename', 'option', 'data', and 'switch' parameters. The 'data' parameter is particularly vulnerable, as it is executed without proper sanitization, leading to unauthorized command execution on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/BehaviorManager' endpoint with the 'modulename', 'option', 'switch', and 'data' parameters. The 'data' parameter can be crafted to include malicious commands, such as a command to create a file on the device.

Added: Jan 5, 2026, 9:18 AM

Updated: Jan 5, 2026, 9:18 AM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

9.1

remediation

0.0

relevance

1.9

threat

6.4

urgency

2.9

incentive

9.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

10.0

exploitability

9.1

remediation

0.0

relevance

1.9

threat

6.4

urgency

2.9

incentive

9.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda AC1206 Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Tenda AC1206

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating