CVE-2026-2148
Information Disclosure in Tenda AC21 Web Management Interface
Publication date: 2026-02-08
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac21_firmware | 16.03.08.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2148 is a security vulnerability in the Tenda AC21 router firmware version 16.03.08.16, specifically in the web management interface at the endpoint /cgi-bin/DownloadFlash.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because this endpoint does not enforce any authentication or authorization checks, allowing remote attackers to bypass the login process entirely.'}, {'type': 'paragraph', 'content': "An attacker can remotely download the full binary image of the device's physical flash memory, which includes the operating system filesystem, kernel, bootloader, and sensitive configuration data such as account hashes, hardcoded credentials, and private keys."}, {'type': 'paragraph', 'content': 'This flaw leads to unauthorized disclosure of highly sensitive information and poses a severe security risk.'}] [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Tenda AC21 router firmware version 16.03.08.16 exposes the endpoint /cgi-bin/DownloadFlash without requiring authentication.'}, {'type': 'paragraph', 'content': 'A simple way to test this is to send an unauthenticated HTTP GET request to the vulnerable endpoint and observe if the full firmware image is returned.'}, {'type': 'paragraph', 'content': 'For example, you can use the following command to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -v http://[router-ip]/cgi-bin/DownloadFlash -o firmware_dump.bin'}, {'type': 'paragraph', 'content': "If the command downloads a binary file containing the device's flash memory without any authentication prompt, the device is vulnerable."}, {'type': 'paragraph', 'content': 'Additionally, analyzing the downloaded firmware image for sensitive strings such as "password", "admin", or "private_key" can confirm the presence of sensitive information disclosure.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable endpoint to prevent unauthorized remote exploitation.'}, {'type': 'list_item', 'content': "Apply firewall rules to block external access to the /cgi-bin/DownloadFlash endpoint, allowing only trusted internal IP addresses to reach the device's web management interface."}, {'type': 'list_item', 'content': 'Disable or remove the /cgi-bin/DownloadFlash CGI interface if it is not required for normal operation, especially if it is intended only for factory testing.'}, {'type': 'list_item', 'content': 'Enforce authentication and authorization checks on the DownloadFlash function to restrict access to authenticated administrators only.'}, {'type': 'paragraph', 'content': 'Long-term mitigation involves updating the device firmware to a version that addresses this vulnerability by implementing proper access controls and possibly encrypting sensitive flash partitions.'}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized disclosure of sensitive information stored on the device.
- Attackers can remotely bypass authentication and download the entire firmware image, exposing sensitive data such as account hashes, hardcoded credentials, and private keys.
- Exposure of this information can lead to further exploitation, including device takeover or compromise of network security.
- The vulnerability can also cause temporary service instability or denial of service when the device stops configuration management services during the exploit.
Because exploitation requires no authentication and can be performed remotely, the risk is elevated for affected devices accessible over the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know