Description
A vulnerability was detected in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. This impacts the function sub_425A28 of the file /goform/DelFil. The manipulation of the argument delflag results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
Published: 2026-04-30
Score: 5.3 Medium
EPSS: 3.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the sub_425A28 function of /goform/DelFil within the Tenda 4G300 firmware. By manipulating the delflag argument, an attacker can inject arbitrary shell commands, resulting in remote command execution. This weakness falls under uncontrolled command injection weaknesses.

Affected Systems

Affected devices are Tenda 4G300 Router models running unspecified firmware versions.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of 3% shows a low but existent chance of exploitation, and the vulnerability is not yet listed in CISA KEV. A public exploit exists, meaning an attacker can issue a request to the vulnerable endpoint from the internet. The attack vector is remote, requiring network access to the router.

Generated by OpenCVE AI on May 1, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Tenda that addresses the command injection flaw.
  • Restrict access to the /goform/DelFil endpoint by network segmentation or firewall rules, allowing only trusted devices.
  • Validate and sanitize the delflag parameter on the gateway side to prevent injection of shell metacharacters.

Generated by OpenCVE AI on May 1, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:tenda:4g300:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:4g300_firmware:1.01.42_cn_tdc01:*:*:*:*:*:*:*

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda 4g300
Vendors & Products Tenda 4g300

Thu, 30 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. This impacts the function sub_425A28 of the file /goform/DelFil. The manipulation of the argument delflag results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
Title Tenda 4G300 DelFil sub_425A28 command injection
First Time appeared Tenda
Tenda 4g300 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:tenda:4g300_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda 4g300 Firmware
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda 4g300 4g300 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T13:44:18.276Z

Reserved: 2026-04-29T19:21:10.675Z

Link: CVE-2026-7469

cve-icon Vulnrichment

Updated: 2026-04-30T13:44:03.176Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T02:16:06.967

Modified: 2026-04-30T20:41:35.710

Link: CVE-2026-7469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:30:09Z

Weaknesses