Primary

Context

Tenda F451 OS Command Injection Vulnerability in Web Management Interface

Vulnerability

An OS command injection vulnerability has been identified in the Tenda F451 wireless router, specifically in the web management interface of firmware versions 1.0.0.7 and 1.0.0.9. The vulnerability arises in the 'formWriteFacMac' function within the '/goform/WriteFacMac' endpoint. Here, the 'mac' parameter can be manipulated to inject shell metacharacters, allowing for remote code execution with root privileges.

Impact

Exploitation of this vulnerability allows for remote code execution with root privileges, leading to full system compromise.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/WriteFacMac' endpoint with the 'mac' parameter containing shell metacharacters. The injected commands will be executed with root privileges, allowing for remote code execution on the device.

Added: Jun 8, 2026, 6:21 PM

Updated: Jun 8, 2026, 6:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

9.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

9.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda F451 OS Command Injection Vulnerability in Web Management Interface

Vulnerability

Impact

Reproduction

Affected Products

Tenda F451

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating