CVE-2026-1638
Unknown Unknown - Not Provided
Remote Command Injection in Tenda AC21 mDMZSetCfg Function

Publication date: 2026-01-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1638
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda ac21_firmware 16.03.08.16
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored command injection in the Tenda AC21 router's function mDMZSetCfg, specifically in the /goform/mDMZSetCfg endpoint. It occurs because the dmzIp parameter is insufficiently validated using inet_addr, which only loosely checks the IP address and ignores trailing characters. Attackers can append arbitrary shell commands to the dmzIp input, which are then stored in the router's NVRAM. Later, the backend netctrl service reads this stored value and executes it as part of system commands (like iptables) without sanitization, resulting in remote code execution with root privileges. This allows persistent compromise, as the malicious commands can re-execute on reboot or service restart. [1, 2, 3]

Impact Analysis

Exploitation of this vulnerability can lead to remote code execution with full root access on the affected router. An attacker can execute arbitrary commands, causing persistent compromise by storing malicious payloads in the device configuration. This can result in device reboot, network traffic manipulation, interception, lateral movement within the internal network, and full control over the device, severely impacting the confidentiality, integrity, and availability of the network and connected systems. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by checking if the router's DMZ configuration contains suspicious or malformed IP addresses with appended shell commands. For example, inspecting the stored DMZ IP value in the router's NVRAM for unexpected characters or commands (such as newline characters followed by shell commands like 'reboot'). A practical detection method is to send an authenticated POST request to the `/goform/mDMZSetCfg` endpoint with a crafted `dmzIp` parameter containing a payload like '1.1.1.1\nreboot' and observe if the device executes the command (e.g., reboots). Additionally, monitoring for unexpected reboots or changes in firewall rules may indicate exploitation. Specific commands depend on router access, but checking the NVRAM value for 'wan1.dmzip' or firewall rules for injected commands can help detect compromise. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the router's management interface to trusted users only, ensuring strong authentication is in place to prevent unauthorized POST requests to `/goform/mDMZSetCfg`. Since no known patches or countermeasures are identified, it is recommended to avoid using the vulnerable firmware version (V16.03.08.16) and replace the affected device with a non-vulnerable alternative. Monitoring the device for signs of compromise and disabling the DMZ feature if not needed can also reduce risk. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1638. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart