CVE-2026-1638 is a command injection vulnerability identified in the Tenda AC21 router firmware versions 1.1.1.1, 1.dmzip, and 16.03.08.16. The vulnerability resides in the mDMZSetCfg function, specifically in the /goform/mDMZSetCfg endpoint, which processes the dmzIp parameter. Due to insufficient input validation or sanitization, an attacker can manipulate the dmzIp argument to inject arbitrary system commands. This flaw allows remote attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially leading to full device compromise. The attack vector is network-based, requiring no authentication or user interaction, which significantly lowers the barrier for exploitation. The CVSS v4.0 base score is 5.3, reflecting medium severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects confidentiality, integrity, and availability as attackers can execute arbitrary commands, potentially exfiltrating data, modifying configurations, or disrupting device operation. Although no known exploits are currently active in the wild, a public exploit has been released, increasing the likelihood of exploitation. The lack of available patches at the time of disclosure necessitates immediate mitigation strategies to reduce exposure. The Tenda AC21 router is commonly used in small to medium enterprises and home networks, making it a relevant target for attackers aiming to pivot into internal networks or disrupt connectivity.

For European organizations, this vulnerability poses a significant risk as compromised routers can serve as entry points for broader network intrusions, data exfiltration, or denial of service. Attackers exploiting this flaw can gain control over the router, manipulate network traffic, intercept sensitive communications, or disrupt internet connectivity. This is particularly critical for organizations relying on Tenda AC21 routers in their network infrastructure, including SMEs and remote offices. The exposure is heightened by the remote, unauthenticated nature of the exploit, allowing attackers to target devices over the internet or local networks without user interaction. Additionally, compromised routers can be leveraged as part of botnets or for lateral movement within corporate networks. The impact extends to confidentiality breaches, integrity violations through unauthorized configuration changes, and availability disruptions caused by device instability or denial of service. Given the public availability of an exploit, the threat landscape is likely to evolve rapidly, necessitating proactive defense measures.

1. Immediately restrict remote management access to the Tenda AC21 routers by disabling WAN-side administration or limiting access to trusted IP addresses. 2. Monitor network traffic for unusual patterns or command injection attempts targeting the /goform/mDMZSetCfg endpoint. 3. Apply firmware updates or patches from Tenda as soon as they are released to address this vulnerability. 4. If patches are not yet available, consider temporarily replacing affected devices with alternative hardware or isolating them from critical network segments. 5. Implement network segmentation to limit the impact of a compromised router on the broader corporate network. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection attempts. 7. Conduct regular vulnerability assessments and penetration testing focusing on network perimeter devices. 8. Educate IT staff about this vulnerability and ensure incident response plans include scenarios involving router compromise. 9. Review and harden router configurations, disabling unnecessary services and enforcing strong administrative credentials. 10. Maintain an inventory of all Tenda AC21 devices in use to ensure comprehensive coverage of mitigation efforts.