CVE-2026-38142
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk48th percentile — higher than 48% of all known CVEs
Summary
An unauthenticated command injection vulnerability exists in the /goform/fast_setting_internet_set endpoint of Tenda AC18 firmware version 15.03.05.05. An attacker can send a crafted request with a malicious payload in the mac parameter to execute arbitrary system commands.
Risk Assessment
An attacker can remotely take full control of the router without authentication, leading to complete device compromise, network traffic interception, or use as an entry point into the organization's internal network.
Recommendation
Immediately update the Tenda AC18 router firmware to the latest available version if a patch has been released. In the meantime, restrict management interface access to trusted IP addresses and deploy a firewall to block unauthorized requests to the vulnerable endpoint.
Original NVD description (English source)
An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.

