CVE-2026-1638
Remote Command Injection in Tenda AC21 mDMZSetCfg Function
Publication date: 2026-01-30
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac21_firmware | 16.03.08.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored command injection in the Tenda AC21 router's function mDMZSetCfg, specifically in the /goform/mDMZSetCfg endpoint. It occurs because the dmzIp parameter is insufficiently validated using inet_addr, which only loosely checks the IP address and ignores trailing characters. Attackers can append arbitrary shell commands to the dmzIp input, which are then stored in the router's NVRAM. Later, the backend netctrl service reads this stored value and executes it as part of system commands (like iptables) without sanitization, resulting in remote code execution with root privileges. This allows persistent compromise, as the malicious commands can re-execute on reboot or service restart. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to remote code execution with full root access on the affected router. An attacker can execute arbitrary commands, causing persistent compromise by storing malicious payloads in the device configuration. This can result in device reboot, network traffic manipulation, interception, lateral movement within the internal network, and full control over the device, severely impacting the confidentiality, integrity, and availability of the network and connected systems. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the router's DMZ configuration contains suspicious or malformed IP addresses with appended shell commands. For example, inspecting the stored DMZ IP value in the router's NVRAM for unexpected characters or commands (such as newline characters followed by shell commands like 'reboot'). A practical detection method is to send an authenticated POST request to the `/goform/mDMZSetCfg` endpoint with a crafted `dmzIp` parameter containing a payload like '1.1.1.1\nreboot' and observe if the device executes the command (e.g., reboots). Additionally, monitoring for unexpected reboots or changes in firewall rules may indicate exploitation. Specific commands depend on router access, but checking the NVRAM value for 'wan1.dmzip' or firewall rules for injected commands can help detect compromise. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's management interface to trusted users only, ensuring strong authentication is in place to prevent unauthorized POST requests to `/goform/mDMZSetCfg`. Since no known patches or countermeasures are identified, it is recommended to avoid using the vulnerable firmware version (V16.03.08.16) and replace the affected device with a non-vulnerable alternative. Monitoring the device for signs of compromise and disabling the DMZ feature if not needed can also reduce risk. [3]