Executive Summary

CVE-2026-2147 is an information disclosure vulnerability in the Tenda AC21 router firmware version 16.03.08.16. It affects the Web Management Interface, specifically the endpoint /cgi-bin/DownloadLog, which lacks proper authentication and authorization checks.

This flaw allows remote attackers to send unauthenticated HTTP requests to the vulnerable endpoint and download sensitive system logs without any credentials. The logs may contain internal IP addresses, network topology, device MAC addresses, connection records, system error messages, debugging information, and login attempt records including usernames and failed password attempts.

The vulnerability arises because the backend function handling /cgi-bin/DownloadLog does not verify user sessions or tokens before processing requests, enabling attackers to bypass login and access sensitive information remotely.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information from your network device. Attackers can remotely access detailed system logs without authentication.

• Exposure of internal IP addresses and network topology details.
• Leakage of device MAC addresses and connection records.
• Disclosure of system error messages and debugging information.
• Potential exposure of login attempt records, including usernames and failed password attempts.

Such information can aid attackers in mapping your network, identifying vulnerable devices, and launching further targeted attacks, increasing the risk of compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable endpoints on the Tenda AC21 router without authentication and checking if sensitive logs are returned.'}, {'type': 'paragraph', 'content': 'A practical detection method involves sending unauthenticated HTTP GET requests to the endpoints /cgi-bin/DownloadLog or /cgi-bin/DownloadSyslog and analyzing the response for sensitive information such as internal IP addresses, MAC addresses, usernames, or error messages.'}, {'type': 'paragraph', 'content': 'For example, using curl commands to test the endpoints:'}, {'type': 'list_item', 'content': 'curl http://<router-ip>/cgi-bin/DownloadLog'}, {'type': 'list_item', 'content': 'curl http://<router-ip>/cgi-bin/DownloadSyslog'}, {'type': 'paragraph', 'content': 'If the response contains system logs or sensitive information without requiring authentication, the vulnerability is present.'}, {'type': 'paragraph', 'content': "Additionally, a Python script using the requests library can automate this detection by sending GET requests and analyzing the content for keywords like 'password', 'admin', 'fail', or IP addresses."}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable web management interface endpoints to prevent unauthorized access.

• Apply strict firewall rules to block external or untrusted IP addresses from accessing /cgi-bin/DownloadLog and /cgi-bin/DownloadSyslog endpoints.
• Enforce authentication and session validation on the vulnerable endpoints to ensure only authorized administrators can access system logs.
• Implement Access Control Lists (ACLs) to limit access to these endpoints to trusted internal IP addresses.
• Remove or disable debugging interfaces and sensitive log download features in production firmware if possible.
• Consider applying data masking techniques to redact sensitive information in logs before they are transmitted.

Useful 0 Not Useful 0