CVE-2026-1638 is a command injection vulnerability affecting the Tenda AC21 router firmware versions 1.1.1.1, 1.dmzip, and 16.03.08.16. The vulnerability resides in the mDMZSetCfg function, specifically in the /goform/mDMZSetCfg web endpoint. The dmzIp parameter is improperly sanitized, allowing an attacker to inject arbitrary OS commands. This flaw can be exploited remotely without authentication or user interaction, making it highly accessible to attackers scanning for vulnerable devices. The vulnerability's CVSS 4.0 score is 5.3 (medium), reflecting the moderate impact and ease of exploitation but limited scope and privileges required. Successful exploitation could allow attackers to execute arbitrary commands on the router, potentially leading to full device compromise, network traffic interception, or pivoting to internal networks. Although no active exploitation has been reported, the public availability of an exploit increases the likelihood of attacks. The lack of vendor patches at the time of disclosure necessitates immediate mitigation steps to reduce exposure. The vulnerability does not require user interaction or prior authentication, increasing its risk profile. The affected devices are commonly used in small office and home office environments, which may be part of larger organizational networks, thus expanding the potential attack surface.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Compromise of Tenda AC21 routers could lead to unauthorized command execution, allowing attackers to alter router configurations, intercept or redirect network traffic, or establish persistent backdoors. This could result in data breaches, disruption of business operations, or lateral movement within corporate networks. Small and medium enterprises (SMEs) and home office setups using these routers are particularly vulnerable, as they may lack robust network segmentation or monitoring. Critical infrastructure sectors relying on these devices could face increased risk of targeted attacks or espionage. The remote and unauthenticated nature of the exploit means attackers can scan and compromise devices en masse, potentially leading to widespread disruption. Additionally, the public availability of an exploit increases the urgency for European organizations to assess their exposure and implement mitigations promptly.

1. Immediately identify and inventory all Tenda AC21 devices within the network, including those in remote or branch offices. 2. Restrict remote management access to the routers by disabling WAN-side web administration or limiting access to trusted IP addresses. 3. Implement network segmentation to isolate vulnerable devices from critical systems and sensitive data. 4. Monitor network traffic for unusual requests to the /goform/mDMZSetCfg endpoint or unexpected command execution patterns. 5. Apply any vendor-supplied firmware updates or patches as soon as they become available. 6. If patches are not yet available, consider temporary mitigations such as firewall rules blocking access to the vulnerable endpoint or replacing affected devices. 7. Educate IT staff about the vulnerability and the importance of securing network devices. 8. Conduct regular vulnerability scans to detect unpatched or vulnerable devices. 9. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 10. Maintain backups of router configurations and network device inventories to facilitate rapid recovery if compromise occurs.