Attackers actively targeting Tenda WiFi router vulnerability

SonicWall Capture Labs Threat Research team observes attackers actively exploiting the  arbitrary remote code execution vulnerability reported in Tenda AC15 router. Tenda AC15 AC1900AC15 is an AC1900 Smart Dual-band Gigabit Wi-Fi Router designed for smart home networking life.

CVE-2020–10987 | Vulnerability:

The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName parameter. This vulnerability is due to improper validation of the input parameter deviceName and this value is directly passed to a doSystemCmd function, causing an arbitrary command execution.


In the below exploit request that was captured, the attacker passes the malicious shellcode through the deviceName parameter, allowing arbitrary code execution.

This command downloads a reverse shell to the temp directory and executes it

When is executed, it downloads more payloads from the attacker server and executes them one by one.

Trend Chart:


SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13634 Suspicious Request URI 17
IPS: 5811 Web Application Suspicious File Upload 1 -c2
IPS: 3141 Web Application Suspicious File Upload 11
IPS: 15028 Web Application Suspicious File Upload 18


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.