Tenda · Tenda Ac9 · CVE-2020-26728
**Name of the Vulnerable Software and Affected Versions**
Tenda AC9 version V15.03.06.42 multi
Tenda AC9 version V15.03.05.19(6318) CN
**Description**
A vulnerability was discovered that allows for remote code execution via shell metacharacters in the `guestuser` field to the ` fastcall` function with a POST request to the API endpoint.
**Recommendations**
For Tenda AC9 version V15.03.06.42 multi, consider disabling the ` fastcall` function until a patch is available.
For Tenda AC9 version V15.03.05.19(6318) CN, avoid using the `guestuser` field in the affected API endpoint until the issue is resolved.
As a temporary workaround, restrict access to the vulnerable module to minimize the risk of exploitation.