Exploitation Summary
CVE-2018-14558 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021.
Description
An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload request. This occurs because the "formsetUsbUnload" function executes a dosystemCmd function with untrusted input.
References (2)
Core 2
Core References
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-14558
Broken Link, Exploit, Third Party Advisory x_refsource_misc
https://github.com/zsjevilhex/iot/blob/master/route/tenda/tenda-01/Tenda.md
Scores
CVSS v3
9.8
EPSS
0.7832
EPSS Percentile
99.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2021-11-03
VulnCheck KEV
2021-04-13
InTheWild.io
2021-07-23
ENISA EUVD
EUVD-2018-6467
CWE
CWE-78
Status
published
Products (3)
tenda/ac10_firmware
< 15.03.06.23_cn
tenda/ac7_firmware
< 15.03.06.44_cn
tenda/ac9_firmware
< 15.03.05.19\(6318\)_cn
Published
Oct 30, 2018
KEV Added
Nov 03, 2021
Tracked Since
Feb 18, 2026