CVE-2020-28094 in AC1200
Summary
by MITRE • 12/28/2020
On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, the default settings for the router speed test contain links to download malware named elive or CNKI E-Learning.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/30/2026
This vulnerability affects Tenda AC1200 routers running firmware version 15.03.06.51_multi where the default configuration includes malicious links within the router's speed test functionality. The flaw represents a critical security risk as it demonstrates how default router configurations can be compromised to deliver malware directly to end-user devices. The presence of links directing users to download elive or CNKI E-Learning malware indicates that attackers have modified the router firmware to include these malicious elements, potentially through supply chain compromise or unauthorized firmware updates.
The technical implementation involves the router's web interface containing embedded hyperlinks within the speed test results page that redirect users to compromised download servers hosting malicious software. This type of vulnerability falls under CWE-829 as it includes a feature that allows for the execution of malicious code through user interaction with default settings. The flaw exploits the trust users place in default router functionality, particularly when performing routine network diagnostics like speed tests. Attackers can leverage this by pre-configuring routers with malicious links, potentially targeting users who may not be security-aware or who do not regularly update their firmware.
The operational impact of this vulnerability extends beyond simple malware delivery as it represents a complete compromise of router trust boundaries. Once users click on the malicious links, they become vulnerable to various types of malware including trojans, backdoors, and information stealers that can compromise entire home or office networks. This type of attack vector aligns with ATT&CK technique T1566 where adversaries use spearphishing to deliver malware through compromised network infrastructure. The vulnerability particularly affects users who may not regularly check for firmware updates or who trust their router's default configuration without verification.
Organizations and individuals should immediately implement mitigations including disabling the speed test functionality if not required, updating to the latest firmware version from Tenda if available, and conducting network monitoring for unusual outbound connections. Network segmentation and firewall rules should be configured to block access to known malicious domains associated with elive and CNKI E-Learning malware. Additionally, security awareness training should emphasize the importance of verifying any download links even within trusted network infrastructure, particularly when they appear in default router interfaces. Regular firmware auditing and network traffic analysis can help detect compromise of router management interfaces and prevent exploitation of such supply chain vulnerabilities.