CVE-2021-27691
Description
Remote command injection in Tenda G0, G1, G3 routers allows unauthenticated attackers to execute arbitrary OS commands via crafted setDebugCfg requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote command injection in Tenda G0, G1, G3 routers allows unauthenticated attackers to execute arbitrary OS commands via crafted setDebugCfg requests.
Vulnerability
A command injection vulnerability exists in the formSetDebugCfg function of Tenda G0 routers (firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN) and Tenda G1 and G3 routers (firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN). The function passes untrusted user input from the pEnable parameter directly to glibc's system function without sanitization, allowing injection of arbitrary OS commands [1].
Exploitation
An unauthenticated remote attacker can send a crafted GET request to the vulnerable endpoint /action/setDebugCfg with a specially crafted enable parameter containing command injection payloads, such as aaa;ping x.x.x.x;. No authentication or special network position is required beyond network access to the router's management interface [1].
Impact
Successful exploitation allows the attacker to execute arbitrary OS commands on the router with root privileges, leading to full device compromise, including disclosure of sensitive information, modification of device configuration, and potential use as a pivot for further network attacks [1].
Mitigation
As of the publication date (2021-04-15), no official patch or firmware update has been announced by Tenda. Users are advised to restrict network access to the router's management interface, monitor for vendor updates, and consider replacing end-of-life devices if no fix is provided. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Tenda/G0 routersdescription
- Range: v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `formSetDebugCfg` function passes untrusted user input directly to `glibc`'s `system` function and copies it into a stack buffer via `sprintf` without bounds checking."
Attack vector
An unauthenticated remote attacker sends a crafted GET request to `/action/setDebugCfg` with the `enable` parameter set to a payload such as `aaa;ping x.x.x.x;`. The `formSetDebugCfg` function passes this unsanitized input to `glibc`'s `system` function, causing the injected OS command to be executed. The same parameter can also be filled with a long string to trigger a stack-based buffer overflow via `sprintf`. [ref_id=1]
Affected code
The vulnerability resides in the `formSetDebugCfg` function of Tenda G0, G1, and G3 routers. The function passes user-controlled parameters (`pEnable`, `pLevel`, `pModule`) directly to `glibc`'s `system` function without sanitization, and also uses `sprintf` to copy the same input onto a stack buffer, enabling both command injection and buffer overflow. [ref_id=1]
What the fix does
The advisory does not include a patch diff. To remediate, the vendor must sanitize user-supplied input before passing it to `system()` and replace unsafe `sprintf` usage with bounds-checked functions. Input validation or whitelisting of allowed values for `pEnable`, `pLevel`, and `pModule` would prevent both command injection and buffer overflow. [ref_id=1]
Preconditions
- configThe target router must be a Tenda G0, G1, or G3 running one of the listed firmware versions.
- networkThe attacker must be able to send HTTP GET requests to the router's management interface.
Reproduction
Send a GET request to `http://<router-ip>/action/setDebugCfg?enable=aaa;ping x.x.x.x;`. The router will execute the injected `ping` command. [ref_id=1]
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- hackmd.io/%40aZYpdinUS2SD-yhAeHwOkw/rkhTCGzMdmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.