Description
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Published: 2026-04-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution via crafted usbPartitionName in formSetUSBPartitionUmount
Action: Patch Required
AI Analysis

Impact

Command injection exists in the formSetUSBPartitionUmount function of the Tenda W30E router. By supplying a crafted usbPartitionName value, an attacker can inject and execute arbitrary operating‑system commands on the device. The vulnerability allows full control over the router with the privileges of the firmware, which can lead to compromise of the entire network or further lateral movement.

Affected Systems

The issue affects devices running Tenda W30E firmware version V2.0 V16.01.0.21. No other vendors or product releases are listed as impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. The EPSS score of < 1% suggests a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector for exploitation is via the router’s web interface, typically from a local network or through compromised credentials. No official patch or workaround has been released yet.

Generated by OpenCVE AI on April 28, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Tenda support website for the latest firmware that fixes this issue and install it when available.
  • Restrict the router’s management interface to trusted IPs or VPN access and disable remote management where possible.
  • If the USB partition feature is not required, disable it or block the formSetUSBPartitionUmount endpoint from processing the usbPartitionName parameter.
  • Monitor router logs for unexpected usbPartitionName activity and investigate any anomalies.

Generated by OpenCVE AI on April 28, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Title Command Injection via USB Partition Name in Tenda W30E Router

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in Tenda W30E via formSetUSBPartitionUmount
Weaknesses CWE-78

Mon, 27 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda w30e Firmware
CPEs cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:w30e_firmware:16.01.0.21:*:*:*:*:*:*:*
Vendors & Products Tenda w30e Firmware

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in Tenda W30E via formSetUSBPartitionUmount
First Time appeared Tenda
Tenda w30e
Weaknesses CWE-77
CWE-78
Vendors & Products Tenda
Tenda w30e

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
References

Subscriptions

Tenda W30e W30e Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T15:35:41.189Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38835

cve-icon Vulnrichment

Updated: 2026-04-22T13:53:02.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T17:16:53.357

Modified: 2026-04-27T16:44:10.893

Link: CVE-2026-38835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses