Primary

Context

Tenda F456 Command Injection Vulnerability in httpd Component

Vulnerability

A command injection vulnerability has been identified in the Tenda F456 router, specifically in version 1.0.0.5. The issue arises in the httpd component, within the FromWriteFacMac function of the /goform/WriteFacMac file. The vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'mac' argument in a crafted request.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the router's operating system.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/WriteFacMac endpoint. Include a 'mac' parameter with a value that contains a command to be executed, such as an echo command. The router will execute the injected command, demonstrating the command injection flaw.

Added: Apr 27, 2026, 9:26 AM

Updated: Apr 27, 2026, 9:26 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

6.7

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

6.7

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda F456 Command Injection Vulnerability in httpd Component

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating