CVE-2020-10987

What is the Tenda AC15?

The Tenda AC15 (AC1900) is a consumer Wi-Fi router with dual-band 802.11ac support, widely sold as an affordable home and small office router. Tenda is a Chinese networking equipment manufacturer producing consumer routers, access points, and switches at low price points. Like many consumer routers, the Tenda AC15 runs an embedded Linux-based firmware with a web management interface accessible over the local network (and sometimes from the internet if remote management is enabled). The device management interface processes user-supplied input to configure device names, SSID settings, and other parameters — a common source of OS command injection vulnerabilities in consumer router firmware, where input sanitization is often absent or minimal.

Overview

CVE-2020-10987 is an OS command injection vulnerability (CWE-78) in the Tenda AC15 (AC1900) router that allows a remote attacker to execute arbitrary system commands via the deviceName POST parameter in the goform/SetOnlineDevName web management endpoint. An unauthenticated attacker who can reach the router's web management interface can send a crafted POST request to achieve command execution on the router's embedded Linux system as root. Tenda has not released a patch for this vulnerability. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: OS command injection (CWE-78) in the goform/SetOnlineDevName endpoint — this endpoint allows users to set a custom name for a device connected to the router's network; the deviceName POST parameter value is passed to an OS command (likely a shell invocation like system() or popen()) without sanitization; by including shell metacharacters (;, |, `) in the deviceName value, an attacker injects arbitrary commands that are executed by the router's Linux shell as root
• Authentication bypass: The CVSS PR:N (no privileges required) indicates the endpoint is accessible without authentication, or authentication is trivially bypassable — common in consumer router firmware where web management API endpoints lack proper session validation; the endpoint may be accessible from the LAN-side interface without any authentication
• Root execution context: Router firmware management processes typically run as root (UID 0), providing full control of the embedded Linux system; post-exploitation, an attacker can: modify router configuration to redirect DNS queries (DNS hijacking), install persistent backdoors in router firmware, capture all network traffic passing through the router, disable security features, and use the router as a pivot point into the network
• No patch availability: Tenda did not release a patch for CVE-2020-10987 within a reasonable timeframe, leaving users with no vendor-provided fix; the required action "Apply updates per vendor instructions" reflects official CISA guidance, but the practical remediation is device replacement or network isolation
• Consumer router vulnerability pattern: Tenda routers are frequently discovered to have multiple command injection and authentication bypass vulnerabilities — the codebase lacks systematic security testing, and the vendor's patch cadence for older products is poor; multiple other Tenda vulnerabilities were added to KEV alongside CVE-2020-10987

Discovery

Identified by security researchers and publicly disclosed in July 2020 without a vendor patch. The vulnerability was confirmed exploitable and published to vulnerability databases. CISA's November 2021 KEV addition reflects active exploitation by botnets and threat actors targeting consumer routers.

Exploitation Context

Consumer routers are high-value targets for botnet operators, cryptomining malware, and persistent threat actors because they: sit at the boundary between home/office networks and the internet, have unrestricted internet access, run 24/7 without regular monitoring, and are rarely updated or replaced until they fail. Tenda router vulnerabilities have been incorporated into Mirai variants and other IoT botnets that leverage compromised routers for DDoS attacks, credential stuffing proxies, and traffic interception. An attacker who compromises a home or small office router via CVE-2020-10987 gains a persistent network tap capable of intercepting all unencrypted traffic and a stable internet-connected pivot point.

Remediation

1. Replace the Tenda AC15 with a router model that receives active security patches — no vendor-provided fix exists for CVE-2020-10987
2. If replacement is not immediate: disable remote management (internet-facing access to the router web interface) — ensure the router's web management is only accessible from the local LAN
3. Change the default admin password and disable any default admin accounts — reduces risk from additional authentication bypass vulnerabilities in the same codebase
4. Segment the network — place the router on an isolated VLAN or network segment where its management interface is not accessible from untrusted hosts
5. Monitor for anomalous DNS query behavior (DNS hijacking) or unusual outbound connections that may indicate the router has been compromised
6. Consider replacing consumer-grade routers with business-grade alternatives from vendors with established security patching programs for networks handling sensitive data