Tenda AC6 Command Injection Flaw CVE-2026-8263 Lets Attackers Execute

Executive Summary

A command injection vulnerability in Tenda AC6 routers — tracked as CVE-2026-8263 with a CVSS score of 5.8 — allows unauthenticated remote attackers to execute arbitrary operating system commands on affected devices. The flaw resides in the fromSetWirelessRepeat function within the httpd component, specifically in the /goform/WifiExtraSet endpoint. According to a public disclosure published on GitHub by researcher yaoyue123, the vulnerability is triggered by manipulating the mac or ssid arguments. Exploit code has been released publicly, and the researcher states the attack can be initiated remotely without authentication. Tenda has not yet released a firmware patch as of this writing.

Technical Analysis

CVE-2026-8263 affects Tenda AC6 routers running firmware version 15.03.06.49_multi_TDE01. The vulnerable endpoint /goform/WifiExtraSet processes HTTP POST requests to configure wireless repeater settings. The fromSetWirelessRepeat function fails to sanitize user-supplied input passed via the mac and ssid parameters before incorporating them into a system command. An attacker can inject shell metacharacters — such as semicolons, pipes, or backticks — to append arbitrary commands that execute with the privileges of the httpd process, typically root on embedded Linux-based routers.

The researcher's disclosure includes a proof-of-concept exploit that demonstrates remote command execution by sending a crafted HTTP request to the router's management interface. Because the httpd service listens on port 80 (and optionally 443 if HTTPS is enabled), the attack surface is exposed to any network-adjacent or internet-facing device that has the web administration interface accessible. No authentication is required to reach the /goform/WifiExtraSet endpoint, making this a pre-authentication vulnerability.

The CVSS 5.8 score reflects a medium-to-high severity due to the low attack complexity (network-based, no privileges required) but limited impact scope — the vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating partial confidentiality, integrity, and availability loss. However, on embedded router hardware, command injection often leads to full device compromise, including credential theft, traffic interception, and use in botnet recruitment.

Public exploit availability significantly raises the risk profile. As of May 11, 2026, Shodan and Censys scans likely index thousands of Tenda AC6 devices with the vulnerable firmware version exposed to the internet. The researcher's GitHub repository contains the full exploit code, which can be trivially adapted for mass exploitation.

Mitigations & Recommendations

Tenda has not yet published a patched firmware version for the AC6. Until an update is available, defenders and users should take the following steps:

• Disable remote administration on the router's WAN interface. If the management web interface must be accessible, restrict access to trusted local IP addresses only via firewall rules.
• Change the default admin credentials if not already done, though this does not mitigate the pre-authentication injection vector — it limits post-exploitation lateral movement.
• Monitor for anomalous HTTP requests to /goform/WifiExtraSet containing shell metacharacters in the mac or ssid parameters. Network intrusion detection systems (e.g., Suricata, Snort) can be configured with custom rules to flag such patterns.
• Consider replacing the router if the vendor does not issue a patch within a reasonable timeframe, as the device will remain vulnerable indefinitely.
• Segment IoT devices on a separate VLAN with restricted internet access to limit blast radius in case of compromise.