CVE-2026-4253
OS Command Injection in Tenda AC8 Web Interface (Remote Exploit
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac8_firmware | 16.03.50.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4253 is a stored OS command injection vulnerability in the Tenda AC8 router firmware version 16.03.50.11. It occurs in the web interface component, specifically in the function route_set_user_policy_rule within the /cgi-bin/UploadCfg endpoint.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the router processes user-defined policy rules from its configuration without sanitizing special shell characters. The argument wans.policy.list1, which contains policy rules, is parsed and directly used in a system command to configure iptables. Because no sanitization is performed, an attacker can inject shell command substitutions (e.g., $(telnetd)) into the destination IP field of a policy rule.'}, {'type': 'paragraph', 'content': 'When the device reboots and processes the malicious configuration, the injected shell commands are executed with root privileges, allowing the attacker to run arbitrary commands on the device remotely.'}, {'type': 'paragraph', 'content': "The attack requires authentication to the router's web interface to upload a crafted configuration file, but once done, it results in persistent remote root shell access via a telnet daemon started on port 23."}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker with administrative access to the router's web interface to execute arbitrary operating system commands as root on the device."}, {'type': 'paragraph', 'content': 'The attacker can gain persistent root shell access remotely by injecting malicious configuration rules that launch a telnet daemon on the router, bypassing normal authentication controls.'}, {'type': 'paragraph', 'content': 'Such control compromises the confidentiality, integrity, and availability of the affected system, potentially allowing the attacker to intercept, modify, or disrupt network traffic, install malware, or use the device as a foothold for further attacks.'}, {'type': 'paragraph', 'content': 'Because the malicious configuration persists across reboots, the attacker maintains long-term control until a factory reset is performed.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of a telnet daemon running on port 23 on the Tenda AC8 router, which is unusual for this device and indicates exploitation.'}, {'type': 'paragraph', 'content': "You can also verify if the router configuration contains malicious policy rules by downloading the current configuration file via the router's web interface endpoint `/cgi-bin/DownloadCfg` and inspecting the `wans.policy.list1` field for suspicious command substitution patterns such as `$(telnetd)`."}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation include:'}, {'type': 'list_item', 'content': "Use network scanning tools to check if port 23 (telnet) is open on the router's IP address, e.g., `nmap -p 23 <router_ip>`."}, {'type': 'list_item', 'content': 'If you have shell access to the router, check running processes for telnet daemon: `ps | grep telnetd`.'}, {'type': 'list_item', 'content': 'Download and inspect the router configuration file by authenticating to the web interface and accessing `/cgi-bin/DownloadCfg`, then search for `wans.policy.list1` entries containing shell command injection patterns like `$()`.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling the processing of user policy rules by setting `wans.policy.enable` to 0 if possible, to prevent the vulnerable function from executing injected commands.'}, {'type': 'paragraph', 'content': 'Remove or reset any malicious configuration entries in the router configuration, especially those in `wans.policy.list1` that contain command injection payloads.'}, {'type': 'paragraph', 'content': 'Perform a factory reset of the router to clear any persistent malicious configuration stored in flash memory, as the injected commands persist across reboots.'}, {'type': 'paragraph', 'content': "Change the router's admin password to a strong, unique password to prevent unauthorized access."}, {'type': 'paragraph', 'content': 'Monitor the router for unexpected open ports such as telnet on port 23 and disable or block such services if detected.'}, {'type': 'paragraph', 'content': 'Since no official vendor patch or mitigation is currently available, consider replacing the affected device with a secure alternative.'}] [2, 3]