Description
Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.
Published: 2026-02-07
Score: 8.6 High
EPSS: 2.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tenda G300-F routers running firmware version 16.01.14.2 and earlier have a command injection flaw in the formSetWanDiag WAN diagnostic functionality. When a user submits the form, the firmware builds a shell command that calls curl and embeds attacker-controlled data without proper sanitization. This allows a remote attacker who can reach the router’s web‑based management interface to inject arbitrary shell syntax and execute commands with the privileges of the device’s management process. The weakness corresponds to CWE‑78.

Affected Systems

The vulnerability affects Shenzhen Tenda Technology Tenda G300‑F routers with firmware version 16.01.14.2 and earlier. Only the Tenda G300‑F device is listed in the vendor/product information; no other Tenda models are provided.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, while the EPSS score of 3 % indicates a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote access to the router’s management interface; an attacker who can reach the web-based interface can supply malicious input, and does not need additional privileges beyond that interval. Successful exploitation would grant the attacker arbitrary command execution on the device with elevated privileges, potentially compromising the entire device and any devices it serves.

Generated by OpenCVE AI on June 16, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that removes the vulnerable formSetWanDiag handler
  • Restrict access to the management interface by enabling HTTPS, disabling HTTP, or limiting IP ranges
  • Disable WAN diagnostic features that are not needed and monitor logs for any anomalous activity

Generated by OpenCVE AI on June 16, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda g300-f Firmware
CPEs cpe:2.3:h:tenda:g300-f:1.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:g300-f_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda g300-f Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda rx9 Pro Firmware
CPEs cpe:2.3:o:tenda:rx9_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda rx9 Pro Firmware

Tue, 10 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda g300-f
Vendors & Products Tenda
Tenda g300-f

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.
Title Tenda G300-F Command Injection via formSetWanDiag
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tenda G300-f G300-f Firmware Rx9 Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T23:11:16.434Z

Reserved: 2026-02-06T19:12:03.462Z

Link: CVE-2026-25857

cve-icon Vulnrichment

Updated: 2026-02-10T16:14:04.077Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:02.607

Modified: 2026-03-05T20:33:27.963

Link: CVE-2026-25857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T15:00:07Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')