Description
A vulnerability was detected in Tenda HG3 2.0. The impacted element is an unknown function of the file /boaform/formCountrystr. The manipulation of the argument countrystr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.
Published: 2026-04-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Mitigate
AI Analysis

Impact

Tenda HG3 firmware 2.0 includes a vulnerability in the /boaform/formCountrystr handler that allows an attacker to inject and execute arbitrary OS commands via manipulation of the countrystr argument. The flaw is exploitable from remote. Based on the description, it is inferred that the vulnerability can be exploited without authentication, giving the attacker the ability to run commands with the privileges of the web interface process. This results in full compromise of the device and any network functions it performs.

Affected Systems

The affected system is the Tenda HG3 router running firmware version 2.0. The vulnerability resides in an unknown function within the file /boaform/formCountrystr and is present in all units using this firmware. No other vendors or product lines are listed.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity flaw. With no EPSS score available and the vulnerability not listed in the CISA KEV catalog, the likelihood of exploitation depends on threat actor interest; however, the remote command injection vector and, based on the description, it is inferred that the vulnerability may be exploitable without authentication, making it a prime target for automated attacks. If exploited, an attacker can gain unrestricted command execution on the device, potentially enabling full network takeover.

Generated by OpenCVE AI on April 28, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Tenda for any firmware updates that address command injection and apply them if available.
  • Restrict external access to the device’s web interface by configuring firewall rules or disabling remote management features to prevent remote exploitation.
  • Configure the firewall or router ACL to block or tightly limit access to the /boaform/formCountrystr endpoint from untrusted networks.
  • Enable detailed logging of web interface activity and regularly review logs for signs of injection attempts or unexpected command execution.

Generated by OpenCVE AI on April 28, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda hg3
Vendors & Products Tenda
Tenda hg3

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Tenda HG3 2.0. The impacted element is an unknown function of the file /boaform/formCountrystr. The manipulation of the argument countrystr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.
Title Tenda HG3 formCountrystr os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Hg3
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:21:21.717Z

Reserved: 2026-04-26T16:04:05.453Z

Link: CVE-2026-7119

cve-icon Vulnrichment

Updated: 2026-04-27T13:21:14.825Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-27T12:16:25.830

Modified: 2026-04-27T18:57:20.293

Link: CVE-2026-7119

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses