A critical command injection flaw in Tenda W20E V4 routers allows unauthenticated attackers to execute arbitrary system-level commands via the USB partition management feature.

This vulnerability stems from the direct use of the usbPartitionName parameter in a system shell command via doSystemCmd. Because the input is not sanitized, an unauthenticated attacker can inject shell metacharacters to execute arbitrary code with root privileges.

With a CVSS score of 9.8, this vulnerability represents an absolute compromise of the device's security model. An attacker can gain a persistent foothold on the network, disable security features, and access any data stored on attached USB devices. This could lead to significant data breaches and long-term undetected presence within the environment.

Immediate Action: Update the device firmware to the latest version to ensure that all inputs to the doSystemCmd function are properly sanitized.

Proactive Monitoring: Audit the router for any unrecognized cron jobs, scripts, or active shell sessions that could indicate a successful breach.

Compensating Controls: Disable USB-related services on the router if they are not required for business operations to eliminate the specific attack vector.

Public Exploit Available: false

Immediate firmware replacement is the only effective way to mitigate this risk. We strongly advise administrators to treat this vulnerability as a top priority and to ensure that no Tenda routers remain exposed to the public internet with outdated software.