Description
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Published: 2026-04-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution from crafted usbPartitionName input
Action: Immediate Patch
AI Analysis

Impact

Command injection is present in the formSetUSBPartitionUmount function of Tenda W30E firmware; a crafted usbPartitionName value can be used to inject and execute arbitrary commands on the device. This flaw enables attackers with network access to the router’s management interface to run commands with the privileges of the device, potentially compromising the entire network or allowing further lateral movement.

Affected Systems

The vulnerability affects devices running Tenda W30E firmware version V2.0 V16.01.0.21. No other vendors or product versions are listed as affected.

Risk and Exploitability

The CVSS score is not published, but the capability to execute arbitrary commands suggests a high severity rating. EPSS data is not available and the flaw is not currently listed in CISA KEV, indicating no confirmed exploits yet. Attackers would need to reach the router’s web interface, likely from a local network or through compromised credentials, to exploit the flaw. No official patch or workaround has been released at this time.

Generated by OpenCVE AI on April 21, 2026 at 23:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Tenda W30E firmware that resolves the command injection issue
  • Restrict network access to the router’s management interface and disable anonymous or local user access
  • If a patch is unavailable, consider disabling the USB port or preventing the formSetUSBPartitionUmount endpoint from processing the usbPartitionName parameter
  • Monitor router logs for unusual usbPartitionName activity and investigate any anomalies

Generated by OpenCVE AI on April 21, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in Tenda W30E via formSetUSBPartitionUmount
First Time appeared Tenda
Tenda w30e
Weaknesses CWE-77
CWE-78
Vendors & Products Tenda
Tenda w30e

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
References

Subscriptions

Tenda W30e
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T15:35:41.189Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38835

cve-icon Vulnrichment

Updated: 2026-04-22T13:53:02.279Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T17:16:53.357

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-38835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:15:03Z

Weaknesses