Amit N. Raut

**Name of the Vulnerable Software and Affected Versions** Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route version AC9V1.0 Firmware V15.03.05.16multiTRU **Description** An exploitable command injection issue exists in the /goform/WanParameterSetting functionality. A specially crafted HTTP POST request can cause a command injection in the `DNS2` post parameters, resulting in code execution. An attacker can send an HTTP POST request with a command to trigger this issue. **Recommendations** For Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route version AC9V1.0 Firmware V15.03.05.16multiTRU, as a temporary workaround, consider restricting access to the `/goform/WanParameterSetting` functionality until a patch is available. Avoid using the `DNS2` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.