The Tenda AC10 is a wireless router from the Chinese company Tenda. Tenda AC10U version 15.03.06.49 suffers from an operating system command injection vulnerability, which originates from the mac parameter of the formWriteFacMac function of the /goform/WriteFacMac file failing to correctly filter the constructor command special characters, commands, and so on. An attacker can exploit this vulnerability to cause arbitrary command execution.