Description
Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.
Published: 2026-02-07
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

Tenda G300-F routers with firmware version 16.01.14.2.2 and any earlier releases are vulnerable to an OS command injection flaw in the WAN diagnostic functionality (formSetWanDiag). The software constructs a shell command that calls curl and incorporates attacker-controlled input without proper sanitization, enabling an attacker to inject arbitrary shell syntax. Successful exploitation grants the attacker full execution rights with the privileges of the device’s management process. This weakness corresponds to CWE-78.

Affected Systems

The vulnerability affects devices running the Shenzhen Tenda Technology Tenda G300-F router firmware 16.01.14.2.2 and earlier. The CNA lists the Tenda G300-F router and related firmware variants such as the Tenda RX9 Pro as affected products. Verify the firmware version on any Tenda G300-F or RX9 Pro devices to determine exposure.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity risk, while the EPSS score of less than 1% reflects a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote access to the router’s management interface; an attacker who can reach the web-based interface—either locally or over the network—can supply malicious input to formSetWanDiag. Based on the description, it is inferred that the attacker does not need additional privileges beyond access to the management interface. Successful exploitation would allow the attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire device and any devices behind it.

Generated by OpenCVE AI on April 17, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that removes the vulnerable formSetWanDiag handler
  • Restrict access to the management interface by enabling HTTPS, disabling HTTP, or limiting IP ranges
  • After applying the update, disable WAN diagnostic features that are not needed and monitor logs for any anomalous activity

Generated by OpenCVE AI on April 17, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda g300-f Firmware
CPEs cpe:2.3:h:tenda:g300-f:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:g300-f_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda g300-f Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda rx9 Pro Firmware
CPEs cpe:2.3:o:tenda:rx9_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda rx9 Pro Firmware

Tue, 10 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda g300-f
Vendors & Products Tenda
Tenda g300-f

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.
Title Tenda G300-F Command Injection via formSetWanDiag
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tenda G300-f G300-f Firmware Rx9 Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:53.114Z

Reserved: 2026-02-06T19:12:03.462Z

Link: CVE-2026-25857

cve-icon Vulnrichment

Updated: 2026-02-10T16:14:04.077Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:02.607

Modified: 2026-03-05T20:33:27.963

Link: CVE-2026-25857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses