Login Sign Up

CVE-2020-15916

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary system commands on Tenda AC15 AC1900 routers via shell metacharacters in the lanIp parameter. Attackers can gain full control of affected devices without authentication. Users with Tenda AC15 AC1900 routers running vulnerable firmware are affected.

💻 Affected Systems

Products:
  • Tenda AC15 AC1900
Versions: 15.03.05.19 and likely earlier versions
Operating Systems: Embedded Linux on Tenda routers
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration. No authentication required for exploitation.

📦 What is this software?

Ac15 Firmware by Tenda

View all CVEs affecting Ac15 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with persistent backdoor installation, network traffic interception, credential theft, and pivot to internal network devices.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential harvesting, and use as botnet node for DDoS attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with no WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Directly exploitable from internet if router's web interface is exposed.
🏢 Internal Only: HIGH - Exploitable from any device on the local network without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST request with shell commands in lanIp parameter. Public exploit code available in security blogs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Tenda website for latest firmware

Vendor Advisory: https://www.tendacn.com/support/download.html

Restart Required: Yes

Instructions:

1. Download latest firmware from Tenda website. 2. Log into router admin interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload and install new firmware. 5. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Replace router with different vendor/model
  • Place router behind firewall blocking access to port 80/443

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or System Tools

Check Version:

curl -s http://router-ip/goform/AdvSetLanip (do not execute with malicious payload)

Verify Fix Applied:

Verify firmware version is newer than 15.03.05.19 and test endpoint with safe payload

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /goform/AdvSetLanip with shell metacharacters in parameters
  • Unusual command execution in router logs

Network Indicators:

  • HTTP traffic to router IP on port 80/443 with POST to vulnerable endpoint
  • Outbound connections from router to suspicious IPs

SIEM Query:

http.method:POST AND http.uri:"/goform/AdvSetLanip" AND (http.param:*;* OR http.param:*|* OR http.param:*`*)

📊 Metadata

CVE ID: CVE-2020-15916
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: July 23, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15916, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)