A critical vulnerability has been discovered in Tenda AC21 and AC23 routers that could allow a remote, unauthenticated attacker to execute arbitrary code and take full control of the affected device.

The vulnerability exists within the GetParentControlInfo function accessible via the /goform/GetParentControlInfo endpoint. An unauthenticated remote attacker can send a specially crafted request with a manipulated argument to trigger an unspecified flaw, likely leading to remote code execution.

With a CVSS score of 9.8 (Critical), this vulnerability represents a severe risk to network security. A successful exploit would grant an attacker complete control over the router, allowing them to intercept network traffic, access connected devices, launch further attacks against the internal network, or use the device as part of a botnet. This could lead to significant data breaches and operational disruption.

Immediate Action: Immediately update the firmware on all affected Tenda AC21 and AC23 devices to the latest version provided by the vendor.

Proactive Monitoring: Review router logs for any unusual requests to the /goform/GetParentControlInfo endpoint. Monitor network traffic for signs of compromise or communication with known malicious command-and-control servers.

Compensating Controls: If patching is not immediately possible, restrict access to the device's management interface from the internet and untrusted networks.

Public Exploit Available: unknown

The critical nature of this vulnerability warrants immediate attention. The potential for a complete network compromise is extremely high. Administrators are strongly advised to prioritize the deployment of the vendor-supplied firmware update to all affected Tenda routers without delay to mitigate this risk.