Tenda AC15V1 routers are vulnerable to a critical command injection attack that allows unauthenticated remote actors to gain full system control via the IPTV configuration interface.

The vulnerability is located in the goform/formSetIptv handler, where the s1_1 parameter is passed to sub_B0488 and subsequently used in doSystemCmd. The lack of input validation allows an unauthenticated attacker to execute arbitrary OS commands on the device.

The CVSS score of 9.8 highlights the extreme risk associated with this flaw. A successful exploit grants the attacker root-level access, enabling them to monitor all network traffic, install malware, or launch further attacks against internal assets. This compromises the entire security posture of the local network.

Immediate Action: Update the Tenda AC15V1 firmware to the latest patched version immediately to resolve the improper input handling.

Proactive Monitoring: Review web server logs for suspicious POST requests to the /goform/formSetIptv endpoint containing shell characters like semicolons or backticks.

Compensating Controls: Use a Web Application Firewall (WAF) or internal firewall rules to block access to the router’s web management interface from untrusted networks.

Public Exploit Available: false

We recommend an immediate update of all affected Tenda AC15V1 devices. Because this vulnerability can be exploited remotely and without authentication, it should be addressed during the next available maintenance window to prevent potential network-wide compromise.