CVE-2019-5071

Name of the Vulnerable Software and Affected Versions Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route version AC9V1.0 Firmware V15.03.05.16multiTRU

Description A command injection issue exists in the /goform/WanParameterSetting functionality. This can be triggered by a specially crafted HTTP POST request, causing command injection in the DNS1 post parameters and resulting in code execution. An attacker can exploit this by sending an HTTP POST request with a command.

Recommendations For Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route version AC9V1.0 Firmware V15.03.05.16multiTRU, as a temporary workaround, consider restricting access to the /goform/WanParameterSetting functionality until a patch is available. Avoid using the DNS1 parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.