Impact
A flaw exists in the formTracert endpoint of the Tenda HG3 router that accepts a datasize parameter. By manipulating this parameter, an attacker can inject arbitrary shell commands, leading to remote code execution on the device. The weakness is a classic command injection vulnerability (CWE‑74) that also triggers operating‑system command injection (CWE‑77), allowing the attacker to bypass input constraints and execute unintended commands. Because the injection occurs via the web management interface, the attack can be carried out from any external host that can reach the router’s WAN side.
Affected Systems
The Tenda HG3 router running firmware version 2.0 is affected. The issue resides in the web management interface located at /boaform/formTracert. No other products or versions are mentioned.
Risk and Exploitability
The CVSS score is 8.7, indicating high severity. The EPSS score of 3% suggests a moderate probability of exploitation. The vulnerability is publicly disclosed and can be exploited remotely, and it is not listed in CISA’s KEV catalog. Exploitation requires only that an attacker reach the exposed formTracert endpoint and send a crafted datasize value; no additional privileges are needed. Given the high severity and the fact that the attack is possible from external hosts, the risk remains significant until a fix is deployed.
OpenCVE Enrichment