| Title | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication |
|---|
| Description | Tenda AC21 V16.03.08.16 is susceptible to an Unauthenticated Firmware Download vulnerability. This flaw stems from a design deficiency in the Web management interface. The /cgi-bin/DownloadFlash path fails to implement any Authentication or Authorization checks when handling HTTP requests.
A remote attacker can bypass the login process entirely (no username or password required) and induce the device to export the full binary image of the physical Flash memory by directly accessing this path. This image typically contains the complete operating system filesystem, kernel, bootloader, and sensitive configuration data (such as account hashes, hardcoded credentials, private keys, etc.). |
|---|
| Source | ⚠️ https://github.com/master-abc/cve/issues/27 |
|---|
| User | jiefengliang (UID 93721) |
|---|
| Submission | 01/27/2026 18:07 (3 months ago) |
|---|
| Moderation | 02/07/2026 08:51 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344850 [Tenda AC21 16.03.08.16 Web Management Interface /cgi-bin/DownloadFlash information disclosure] |
|---|
| Points | 20 |
|---|