CVE-2019-5072

Name of the Vulnerable Software and Affected Versions Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route version AC9V1.0 Firmware V15.03.05.16multiTRU

Description An exploitable command injection issue exists in the /goform/WanParameterSetting functionality. A specially crafted HTTP POST request can cause a command injection in the DNS2 post parameters, resulting in code execution. An attacker can send an HTTP POST request with a command to trigger this issue.

Recommendations For Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route version AC9V1.0 Firmware V15.03.05.16multiTRU, as a temporary workaround, consider restricting access to the /goform/WanParameterSetting functionality until a patch is available. Avoid using the DNS2 parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.