Description
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Published: 2026-04-21
Score: 7.3 High
EPSS: 2.6% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Tenda W30E routers running firmware V2.0 V16.01.0.21 are vulnerable to a command injection flaw in the do_ping_action function via the hostName parameter. This weakness allows an attacker to craft a request that causes the router to execute arbitrary operating‑system commands with the privileges of the web service, leading to full compromise of the device. The vulnerability falls under the category of OS Command Injection (CWE‑77).

Affected Systems

The only affected system documented is the Tenda W30E wireless router running firmware V2.0 V16.01.0.21. No additional vendor or product versions are listed.

Risk and Exploitability

Tenda W30E routers exposed to the web management interface are vulnerable to remote code execution via a crafted HTTP request that triggers the do_ping_action function. The EPSS score of 3% indicates a relatively low but non‑zero likelihood of exploitation. The vulnerability has not been listed in the CISA KEV catalog, and there is no known evidence of widespread exploitation; however, the potential impact remains high if the interface is reachable. The CVSS score of 7.3 points to a high severity.

Generated by OpenCVE AI on April 22, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Tenda website for a firmware update that addresses the command injection flaw and apply it as soon as possible.
  • If no patch is available, limit access to the router’s web management interface to the local network only; block WAN access to ports 80/443 with a firewall or router ACLs.
  • Disable the ping functionality or the do_ping_action feature in the router’s settings to eliminate the vulnerable code path.
  • Monitor network traffic for anomalous requests targeting the router’s status page and review system logs for evidence of exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Command Injection in Tenda W30E Firmware V2.0 V16.01.0.21

Wed, 22 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Title Command Injection in Tenda W30E Firmware V2.0 V16.01.0.21

Wed, 22 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Title Remote Command Injection via HostName Parameter in Tenda W30E Router
Weaknesses CWE-78

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Remote Command Injection via HostName Parameter in Tenda W30E Router
First Time appeared Tenda
Tenda w30e
Weaknesses CWE-77
CWE-78
Vendors & Products Tenda
Tenda w30e
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
References

Subscriptions

Tenda W30e
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T19:23:17.157Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38834

cve-icon Vulnrichment

Updated: 2026-04-21T19:19:35.452Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T17:16:53.257

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-38834

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses