{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1638", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-29T16:56:25.779Z", "datePublished": "2026-01-29T23:32:11.350Z", "dateUpdated": "2026-02-23T09:08:03.393Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:08:03.393Z"}, "title": "Tenda AC21 mDMZSetCfg command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Tenda", "product": "AC21", "versions": [{"version": "1.1.1.1", "status": "affected"}, {"version": "1.dmzip", "status": "affected"}, {"version": "16.03.08.16", "status": "affected"}], "cpes": ["cpe:2.3:o:tenda:ac21_firmware:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-29T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-29T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-05T05:52:10.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "LX-LX (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.343417", "name": "VDB-343417 | Tenda AC21 mDMZSetCfg command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343417", "name": "VDB-343417 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.740871", "name": "Submit #740871 | Tenda AC21 V16.03.08.16 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/LX-LX88/cve/issues/26", "tags": ["broken-link", "exploit", "issue-tracking"]}, {"url": "https://www.tenda.com.cn/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T18:25:39.642410Z", "id": "CVE-2026-1638", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:25:59.761Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1638", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-30T18:25:39.642410Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:25:53.616Z"}}], "cna": {"title": "Tenda AC21 mDMZSetCfg command injection", "credits": [{"lang": "en", "type": "reporter", "value": "LX-LX (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:o:tenda:ac21_firmware:*:*:*:*:*:*:*:*"], "vendor": "Tenda", "product": "AC21", "versions": [{"status": "affected", "version": "1.1.1.1"}, {"status": "affected", "version": "1.dmzip"}, {"status": "affected", "version": "16.03.08.16"}]}], "timeline": [{"lang": "en", "time": "2026-01-29T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-29T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-05T05:52:10.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.343417", "name": "VDB-343417 | Tenda AC21 mDMZSetCfg command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343417", "name": "VDB-343417 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.740871", "name": "Submit #740871 | Tenda AC21 V16.03.08.16 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/LX-LX88/cve/issues/26", "tags": ["broken-link", "exploit", "issue-tracking"]}, {"url": "https://www.tenda.com.cn/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:08:03.393Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1638", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:08:03.393Z", "dateReserved": "2026-01-29T16:56:25.779Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-29T23:32:11.350Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tenda:ac21_firmware:16.03.08.16:*:*:*:*:*:*:*", "matchCriteriaId": "089AC516-5475-4725-B348-832A00ED0CC3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tenda:ac21:-:*:*:*:*:*:*:*", "matchCriteriaId": "05B05222-6E83-487C-A083-CED82D803330", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. El elemento afectado es la funci\u00f3n mDMZSetCfg del archivo /goform/mDMZSetCfg. La manipulaci\u00f3n del argumento dmzIp resulta en inyecci\u00f3n de comandos. El ataque puede ser ejecutado remotamente. El exploit ha sido publicado y puede ser usado para ataques."}], "id": "CVE-2026-1638", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-30T00:15:57.563", "references": [{"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://github.com/LX-LX88/cve/issues/26"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.343417"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.343417"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.740871"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://www.tenda.com.cn/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:14:57.570780+00:00", "value": {"mitigation_remediation": ["Apply the official firmware update released by Tenda that removes the injection point in mDMZSetCfg.", "Disable or restrict access to the DMZ configuration interface, ensuring that only trusted administrators can reach it, or block the /goform/mDMZSetCfg endpoint via the router firewall.", "Enforce proper input validation on the dmzIp field or otherwise isolate the router from untrusted hosts by segmenting the network."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected devices are Tenda AC21 routers running firmware version 16.03.08.16 or earlier, including the embedded configuration server accessed at 1.1.1.1/1.dmzip. The vendor Tenda cites the AC21 series as impacted.", "description_and_impact": "The Tenda AC21 router is vulnerable to command injection through the dmzIp argument of the /goform/mDMZSetCfg endpoint. Supplying a crafted value allows an attacker to execute arbitrary shell commands on the device. This flaw constitutes a remote code execution vulnerability (CWE-74, CWE-77) that undermines the confidentiality, integrity, and availability of the router and any host behind it.", "risk_and_exploitability": "The CVSS base score of 5.3 reflects a medium severity, and the EPSS score of less than 1% indicates a low exploitation probability as of the current data. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the injection by sending an unauthenticated HTTP request to the exposed internal interface; a publicly available exploit has already been released, so any device with the affected firmware and exposed interface is potentially exploitable."}}}}, "created": "2026-01-30T08:42:27.554000+00:00", "updated": "2026-04-18T01:15:05.998147+00:00", "vendors": ["tenda", "tenda$PRODUCT$ac21"]}