CVE-2022-41396 is a high-severity command injection vulnerability affecting the Tenda AC1200 Router Model W15Ev2 running firmware version V15.11.0.10(1576). The vulnerability resides in the function setIPsecTunnelList, specifically within the parameters IPsecLocalNet and IPsecRemoteNet. These parameters are used to configure IPsec tunnels on the router. Due to insufficient input validation or sanitization, an attacker with limited privileges (local access with low privileges) can inject arbitrary commands through these parameters. The vulnerability allows execution of arbitrary system commands with the privileges of the affected process, potentially leading to full compromise of the device. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The attack vector is local (AV:L), meaning the attacker must have local network access or authenticated access to the device's management interface. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). No public exploits are currently known in the wild, and no patches have been linked or published yet. This vulnerability could be exploited by an attacker who gains access to the router's management interface or local network, enabling them to execute arbitrary commands, potentially leading to network compromise, interception of traffic, or disruption of services.

For European organizations, this vulnerability poses a significant risk especially for those using Tenda AC1200 W15Ev2 routers in their network infrastructure. Successful exploitation could lead to unauthorized control over the router, allowing attackers to intercept, modify, or redirect network traffic, which compromises confidentiality and integrity of communications. Additionally, attackers could disrupt network availability by altering configurations or causing device failures. This is particularly critical for small and medium enterprises or branch offices that rely on consumer-grade routers like the Tenda AC1200 for VPN or IPsec tunnel connectivity. The local attack vector means that attackers would need to be inside the network or have credentials to access the router interface, which could be achieved through phishing, credential reuse, or insider threats. Given the high impact on confidentiality, integrity, and availability, exploitation could lead to data breaches, espionage, or denial of service conditions affecting business operations and compliance with data protection regulations such as GDPR.

1. Immediate mitigation should include restricting access to the router's management interface to trusted networks and users only, preferably via VPN or secure management VLANs. 2. Change default or weak credentials to strong, unique passwords to prevent unauthorized access. 3. Disable remote management features if not required to reduce exposure. 4. Monitor network traffic for unusual activity that could indicate exploitation attempts. 5. Segment the network to limit lateral movement in case of compromise. 6. Regularly audit and update router firmware; although no patch is currently linked, monitor Tenda's official channels for security updates addressing this vulnerability. 7. Consider replacing vulnerable devices with enterprise-grade routers that have better security controls and timely patching. 8. Implement network intrusion detection systems (NIDS) to detect command injection attempts or abnormal command executions on network devices. 9. Educate staff on the risks of credential compromise and enforce multi-factor authentication where possible for device management.