How is CVE-2026-11556 exploited?

Network reachability (required): The attacker must reach the device's web management interface over the network; the vulnerable endpoint is remotely accessible. Authentication (required): A low-privilege account on the web management interface is sufficient; no administrative credentials are needed. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends the malicious request directly to the endpoint. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-11556?

The attacker executes arbitrary OS commands on the Tenda F451 device with the privileges of the web server process. Credentials, configuration data, and any secrets stored on the device are exposed and readable by the attacker. The attacker can modify device configuration, firmware settings, or routing rules, altering device behavior persistently. The attacker can crash or restart the device, causing a loss of network connectivity for any clients depending on it.

Back to search

HIGHCVE-2026-11556Published 2026-06-08Modified 2026-06-09CNA VulDB

CVE-2026-11556: Tenda F451 Web Management WriteFacMac formWriteFacMac os command injection

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection flaw exists in the Tenda F451 router's web management interface, specifically in the formWriteFacMac function that handles requests to /goform/WriteFacMac. An attacker with a low-privilege account can send a crafted 'mac' argument to this endpoint over the network, injecting arbitrary operating system commands without any victim interaction. Successful exploitation gives the attacker full control of the device, including the ability to read, modify, or destroy data and disrupt device operation. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-11556 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including VulDB, covering custom-built images that bundle Tenda F451 firmware or related components. Any image in a connected registry or CI pipeline that includes an affected version (1.0.0.7 or 1.0.0.9) is eligible for flagging automatically.

Available

Triage

Triage is available with the CVSS v4.0 score of 8.7 (HIGH) applied to each matched finding, weighted against the per-environment compliance policy configured for the customer org. Findings are routed to the appropriate team inbox based on policy rules, so the right owners see the alert without manual sorting.

Available

Patch

Because no upstream fix version has been published for CVE-2026-11556, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation rules that restrict access to the web management interface.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's web management interface over the network; the vulnerable endpoint is remotely accessible.
AuthenticationRequired
A low-privilege account on the web management interface is sufficient; no administrative credentials are needed.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends the malicious request directly to the endpoint.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

The attacker executes arbitrary OS commands on the Tenda F451 device with the privileges of the web server process.
Credentials, configuration data, and any secrets stored on the device are exposed and readable by the attacker.
The attacker can modify device configuration, firmware settings, or routing rules, altering device behavior persistently.
The attacker can crash or restart the device, causing a loss of network connectivity for any clients depending on it.

How HarborGuard Handles This

Available on HarborGuard: because no patch exists for CVE-2026-11556, the platform monitors the VulDB advisory and all upstream feeds on every ingest cycle, ready to trigger a patched-image rebuild the moment an upstream fix is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues once a fix is available. While no fix exists, HarborGuard's policy engine can surface compensating-control recommendations including network-policy isolation to restrict access to the web management interface, egress filtering to limit lateral movement from a compromised device, and feature-flag gating where supported. Customers whose compliance policy flags externally published exploits (the CVSS v4.0 E:P exploit-maturity token is set) will see this finding escalated automatically within their triage queue.

See how HarborGuard automates this

Affected packages

Tenda / F451
1.0.0.7 · 1.0.0.9

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified