CVE-2021-47802
Published: 21 January 2026
Summary
CVE-2021-47802 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Tenda D151 Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2021-47802 is an unauthenticated configuration download vulnerability affecting Tenda D151 and D301 routers. The flaw, tied to CWE-306 (Missing Authentication for Critical Function), enables remote attackers to retrieve sensitive router configuration files, including admin credentials, by sending an HTTP request to the /goform/getimage endpoint without any authentication requirements. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact due to the exposure of critical data.
Remote attackers with network access to the affected routers can exploit this vulnerability without privileges, user interaction, or complex preconditions. By simply issuing a request to the vulnerable endpoint, they can download configuration files containing admin credentials and other sensitive information, facilitating subsequent attacks like admin interface takeover, network mapping, or lateral movement within the targeted environment.
Advisories and additional details are documented in references such as Exploit-DB (exploit 49782), the Tenda US website (tendacn.com/us/), and a Vulncheck advisory on the Tenda D-series configuration download issue. Security practitioners should review these sources for vendor-specific mitigation recommendations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3650
Vulnerability details
Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated HTTP endpoint directly enables public-facing exploitation (T1190) to dump router config (T1602.002) exposing credentials (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 directly prohibits unauthenticated actions for critical functions, preventing remote attackers from accessing the /goform/getimage endpoint to download sensitive router configuration files including admin credentials.
SC-14 enforces access protections for publicly accessible information, mitigating unauthorized exposure of configuration data on internet-facing Tenda D151 and D301 routers.
SI-2 requires timely identification, reporting, and remediation of the specific flaw enabling unauthenticated configuration downloads, eliminating the vulnerability.