Cyber Resilience

CVE-2021-47802

HighPublic PoC

Published: 21 January 2026

Published
21 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0061 44.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47802 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Tenda D151 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2021-47802 is an unauthenticated configuration download vulnerability affecting Tenda D151 and D301 routers. The flaw, tied to CWE-306 (Missing Authentication for Critical Function), enables remote attackers to retrieve sensitive router configuration files, including admin credentials, by sending an HTTP request to the /goform/getimage endpoint without any authentication requirements. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact due to the exposure of critical data.

Remote attackers with network access to the affected routers can exploit this vulnerability without privileges, user interaction, or complex preconditions. By simply issuing a request to the vulnerable endpoint, they can download configuration files containing admin credentials and other sensitive information, facilitating subsequent attacks like admin interface takeover, network mapping, or lateral movement within the targeted environment.

Advisories and additional details are documented in references such as Exploit-DB (exploit 49782), the Tenda US website (tendacn.com/us/), and a Vulncheck advisory on the Tenda D-series configuration download issue. Security practitioners should review these sources for vendor-specific mitigation recommendations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1602.002 Network Device Configuration Dump Collection
Adversaries may access network configuration files to collect sensitive data about the device and the network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Unauthenticated HTTP endpoint directly enables public-facing exploitation (T1190) to dump router config (T1602.002) exposing credentials (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5849Same vendor: Tenda
CVE-2026-30140Same vendor: Tenda
CVE-2025-29357Same vendor: Tenda
CVE-2025-1853Same vendor: Tenda
CVE-2026-5841Same vendor: Tenda
CVE-2025-12225Same vendor: Tenda
CVE-2025-7420Same vendor: Tenda
CVE-2018-25316Same vendor: Tenda
CVE-2025-7747Same vendor: Tenda
CVE-2025-7795Same vendor: Tenda

Affected Assets

tenda
d151 firmware
all versions
tenda
d301 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly prohibits unauthenticated actions for critical functions, preventing remote attackers from accessing the /goform/getimage endpoint to download sensitive router configuration files including admin credentials.

prevent

SC-14 enforces access protections for publicly accessible information, mitigating unauthorized exposure of configuration data on internet-facing Tenda D151 and D301 routers.

prevent

SI-2 requires timely identification, reporting, and remediation of the specific flaw enabling unauthenticated configuration downloads, eliminating the vulnerability.

References