CERT /CC has issued a warning about multiple unpatched command injection flaws in Tenda’s 4G03 Pro and N300 series routers, which allow attackers to execute arbitrary commands as root and left users exposed to full device compromise with no vendor-supplied fixes.
According to the advisory, a command injection vulnerability exists across multiple firmware versions, and a crafted, authenticated HTTP request to TCP port 80 can trigger arbitrary command execution, giving any authenticated attacker control through the device’s main web interface. A second flaw, distinct from earlier 2023 issues, exists in firmware up to and including v04.03.01.14, where a crafted network request to TCP port 7329 can result in command execution.
Both flaws require authentication, though many devices ship with weak or unchanged default credentials, increasing real-world risk. CERT/CC emphasises that successful exploitation grants total control of the underlying operating system. With no patch or mitigation available at present, users are urged to reduce exposure, consider alternative devices for security-sensitive scenarios, and monitor for firmware updates or advisories from Tenda. Ax is credited by CERT/CC as the researcher who identified the exploitable components.