CVE-2018-5767

CRITICAL

Tenda AC15 <V15.03.1.16_multi - RCE

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-5767. PoCs published by Tim Carrington, Scorpion-Security-Labs, db44k.

AI-analyzed exploit summary This exploit targets CVE-2018-5767, a buffer overflow in the web interface of a device, using ROP gadgets to bypass DEP/NX and brute-force ASLR. It delivers a reverse shell via a compiled ARM binary served over HTTP.

Description

An issue was discovered on Tenda AC15 V15.03.1.16_multi devices. A remote, unauthenticated attacker can gain remote code execution on the device with a crafted password parameter for the COOKIE header.

Exploits (3)

exploitdb WORKING POC

by Tim Carrington · pythonremotehardware

https://www.exploit-db.com/exploits/44253

View Code ZIP pw:eip

This exploit targets CVE-2018-5767, a buffer overflow in the web interface of a device, using ROP gadgets to bypass DEP/NX and brute-force ASLR. It delivers a reverse shell via a compiled ARM binary served over HTTP.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Unknown (likely a network device with a vulnerable web interface)

No auth needed

Prerequisites: ARM cross-compiler · network access to target · knowledge of target's IP and port

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Scorpion-Security-Labs · poc

https://github.com/Scorpion-Security-Labs/CVE-2018-5767-AC9

View Code ZIP pw:eip

This PoC exploits CVE-2018-5767, a buffer overflow vulnerability in the AC9 router's password parsing logic via the Cookie header. It leverages a ROP chain with hardcoded libc addresses to achieve remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: AC9 router (and related models)

No auth needed

Prerequisites: Network access to the target router · Knowledge of the target's libc base address

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by db44k · poc

https://github.com/db44k/CVE-2018-5767-AC9

View Code ZIP pw:eip

This PoC exploits CVE-2018-5767, a buffer overflow vulnerability in the AC9 router model caused by an unguarded sscanf call when parsing the 'Cookie' header. It leverages ROP gadgets and a known libc base address to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: AC9 router (and related models)

No auth needed

Prerequisites: Network access to the target router · Known libc base address (default: 0x2ad6d000)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44253/

Exploit, Technical Description, Third Party Advisory x_refsource_misc

https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/

Scores

CVSS v3 9.8

EPSS 0.4258

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (1)

tendacn/ac15_firmware 15.03.1.16

Published Feb 15, 2018

Tracked Since Feb 18, 2026