External risk intelligence

Tenda AC18 router allows attackers to take full control and execute commands due to a security flaw.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-31255

An external attacker can exploit Tenda AC18 routers to run unauthorized commands and take full control of the device. This allows intruders to potentially intercept sensitive traffic or gain unauthorized access to the internal network.

3Halo Surface Signal

Command Injection

Tenda Ac18 Firmware

15.03.05.05

External exposure likelihood

Halo Surface Signal score for CVE-2026-31255

The issue involves a consumer router's management interface. Although the device is an internet gateway, the management panel is typically designed for internal local access. While public internet reachability is possible through user-configured settings like remote management, it is not the default or standard deployment expectation, making the surface's exposure variable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A command injection vulnerability in Tenda AC18 routers allows unauthorized access to execute arbitrary system commands. This is a significant concern because it can lead to a complete compromise of the affected device.

  • Attackers can gain full control.
  • This impacts network security.
  • It is reachable from the internet.

Attack Path

How an attacker could exploit the issue

Attackers can exploit this vulnerability by sending a specially crafted request to the `/goform/SetSambaCfg` interface on a Tenda AC18 router. This allows them to inject and execute arbitrary system commands on the device. This could lead to full compromise of the router, enabling further network intrusion or disruption.

  • No authentication required.
  • Target: `/goform/SetSambaCfg` interface.
  • Attacker sends malicious request.

Live Threat

Current exploitation, exposure, and threat context

Attackers might target this command injection vulnerability in Tenda AC18 firmware because it allows for unauthenticated remote code execution on a network device. Such devices, acting as internet gateways, are attractive targets for establishing botnets or pivoting into internal networks. However, specific exploitation details and wider weaponization are not yet evident.

  • No KEV listing observed.
  • Exploitation remains unconfirmed.
  • Public exploits are not readily available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize identifying all Tenda AC18 devices running firmware version 15.03.05.05 due to a critical command injection vulnerability in the `/goform/SetSambaCfg` interface. Given the CVSS score of 9.8 and no reported patches, immediate isolation of affected devices is recommended to prevent potential system compromise.

  • Isolate or take affected devices offline.
  • Monitor network traffic for exploitation attempts.
  • Investigate and implement network segmentation.

Frequently asked questions

What is the Tenda AC18 router?

The Tenda AC18 is a dual-band Gigabit Wi-Fi router designed for high-performance home or small office networking. It supports the 802.11ac standard, offering combined speeds of up to 1900 Mbps (1300 Mbps on 5GHz and 600 Mbps on 2.4GHz). It features a dual-core processor, multiple Gigabit Ethernet ports, and external antennas for extended coverage.

What is CVE-2026-31255 and how does it affect the Tenda AC18?

CVE-2026-31255 is a critical command injection vulnerability present in specific firmware versions of the Tenda AC18 router. This flaw resides within the /goform/SetSambaCfg interface and allows attackers to execute arbitrary system commands by manipulating the 'guestuser' parameter.

How can an attacker exploit the Tenda AC18 vulnerability?

An attacker can exploit CVE-2026-31255 by sending a specially crafted HTTP POST request to the router's /goform/SetSambaCfg interface. This request includes malicious commands within the 'guestuser' parameter, which are then executed by the router's system without proper sanitization or authentication.

What is the impact of CVE-2026-31255 on a Tenda AC18 router?

Successful exploitation of this vulnerability can lead to a complete compromise of the affected Tenda AC18 router. Attackers can gain full control, potentially enabling them to pivot into the internal network, install backdoors, or disrupt network services. This is due to the commands executing with elevated privileges.

What should be done to address the Tenda AC18 vulnerability?

While specific patch information is not detailed, recommended actions generally include isolating affected devices to prevent exploitation. Organizations should also monitor network traffic for suspicious activity targeting the /goform/SetSambaCfg interface and investigate network segmentation as a mitigation strategy until a firmware update is available and applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified