CVE-2018-14558

Name of the Vulnerable Software and Affected Versions Tenda AC7 versions through V15.03.06.44 CN(AC7) Tenda AC9 versions through V15.03.05.19(6318) CN(AC9) Tenda AC10 versions through V15.03.06.23 CN(AC10)

Description A command injection issue allows attackers to execute arbitrary OS commands via a crafted "goform/setUsbUnload" request. This occurs because the formsetUsbUnload function executes a dosomeCmd function with untrusted input. The vulnerability exists due to the lack of neutralization of special elements used in the operating system command.

Recommendations For Tenda AC7 versions through V15.03.06.44 CN(AC7), consider disabling the formsetUsbUnload function until a patch is available. For Tenda AC9 versions through V15.03.05.19(6318) CN(AC9), restrict access to the "goform/setUsbUnload" request to minimize the risk of exploitation. For Tenda AC10 versions through V15.03.06.23 CN(AC10), avoid using the dosomeCmd function with untrusted input until the issue is resolved. As a temporary workaround, consider restricting the use of the formsetUsbUnload function in all affected devices until a patch is available.