A critical vulnerability has been identified in multiple Tenda products, most notably the Tenda AC18 router. This flaw allows an unauthenticated remote attacker to execute arbitrary code on an affected device, potentially leading to a complete system compromise. Successful exploitation could result in data theft, network disruption, and unauthorized access to the internal network.

This vulnerability is an unauthenticated command injection flaw in the web management interface of the affected devices. An attacker can send a specially crafted HTTP request to a specific administrative endpoint without needing to provide any credentials. The device fails to properly sanitize user-supplied input within this request, allowing the attacker to inject and execute arbitrary operating system commands with the privileges of the root user.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation of this flaw could have severe consequences for the organization. A remote attacker gaining root-level control of a network device can intercept sensitive network traffic, pivot to attack other systems on the internal network, install persistent malware, or launch denial-of-service attacks. This poses a significant risk of data breaches, operational downtime, reputational damage, and potential non-compliance with regulatory requirements.

Immediate Action:

• Identify all vulnerable Tenda devices within the environment.
• Apply the security updates provided by the vendor immediately, prioritizing internet-facing devices.
• After patching, monitor devices for any signs of compromise that may have occurred prior to the update.
• Review web access logs for the affected devices, looking for unusual or malicious requests targeting the management interface.

Proactive Monitoring:

• Monitor network traffic for unusual outbound connections originating from affected routers.
• Implement log monitoring to detect suspicious activity, such as unexpected commands in web server logs or attempts to access known vulnerable endpoints.
• Monitor for unexpected system reboots or changes in device configuration.

Compensating Controls:

• If immediate patching is not feasible, restrict access to the device's web management interface. Ensure it is not exposed to the public internet.
• Use a firewall to limit access to the management interface to only trusted IP addresses on a dedicated management network.
• Implement network segmentation to limit the potential impact of a compromised router on other critical network segments.

Public Exploit Available: false

Given the high severity (CVSS 8.8) and the risk of unauthenticated remote code execution, this vulnerability presents a significant and immediate threat to the organization. Although not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion and widespread exploitation. We strongly recommend that organizations prioritize the immediate application of vendor-supplied patches to all affected Tenda devices to prevent compromise.