CVE-2026-2147
📋 TL;DR
This vulnerability in Tenda AC21 routers allows remote attackers to access sensitive information through the web management interface. Attackers can exploit the /cgi-bin/DownloadLog endpoint to disclose system information without authentication. All users running the affected firmware version are vulnerable.
💻 Affected Systems
- Tenda AC21
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain router configuration details, credentials, or network information that could enable further attacks on the network.
Likely Case
Information disclosure revealing system logs, configuration details, or potentially sensitive network information.
If Mitigated
Limited impact if the web interface is not exposed to untrusted networks and proper network segmentation is in place.
🎯 Exploit Status
Exploit code is publicly available on GitHub. The attack requires no authentication and is simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.tenda.com.cn/
Restart Required: Yes
Instructions:
1. Check Tenda website for firmware updates
2. Download latest firmware for AC21
3. Access router web interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload and install new firmware
6. Reboot router
🔧 Temporary Workarounds
Disable Web Management Interface
allPrevent access to the vulnerable web interface
Access router CLI via SSH/Telnet and disable web interface if supported
Restrict Web Interface Access
allLimit web interface to trusted IP addresses only
Configure firewall rules to restrict access to router web interface (port 80/443)
🧯 If You Can't Patch
- Segment the router on a separate VLAN with restricted access
- Implement network monitoring for suspicious access to /cgi-bin/DownloadLog endpoint
🔍 How to Verify
Check if Vulnerable:
Access router web interface and check firmware version in System Status or About pageCheck Version:
curl -s http://router-ip/ | grep -i version or check web interfaceVerify Fix Applied:
Verify firmware version is no longer 16.03.08.16 after update📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cgi-bin/DownloadLog from unusual sources
- Multiple failed or successful access attempts to management interface
Network Indicators:
- Unusual traffic patterns to router web interface
- Requests to DownloadLog endpoint from external IPs
SIEM Query:
source_ip=external AND dest_ip=router_ip AND uri_path="/cgi-bin/DownloadLog"