Description
A vulnerability was detected in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. This impacts the function sub_425A28 of the file /goform/DelFil. The manipulation of the argument delflag results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
Published: 2026-04-30
Score: 5.3 Medium
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the sub_425A28 function of /goform/DelFil within the Tenda 4G300 firmware. By manipulating the delflag argument, an attacker can inject arbitrary shell commands, resulting in remote command execution. This weakness is identified by CWE-74 and CWE-77, indicating uncontrolled format string and command injection vulnerabilities.

Affected Systems

Affected devices are Tenda 4G300 Router models running unspecified firmware versions.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of 0.01314 indicates a very low but possible chance of exploitation, and the vulnerability is not listed in CISA KEV. A public exploit exists, meaning an attacker can issue a request to the vulnerable endpoint from the internet. The attack vector is remote, requiring network access to the router.

Generated by OpenCVE AI on June 18, 2026 at 14:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Tenda that addresses the command injection flaw.
  • Restrict access to the /goform/DelFil endpoint by network segmentation or firewall rules, allowing only trusted devices.
  • Validate and sanitize the delflag parameter on the gateway side to prevent injection of shell metacharacters.

Generated by OpenCVE AI on June 18, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:tenda:4g300:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:4g300_firmware:1.01.42_cn_tdc01:*:*:*:*:*:*:*

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 30 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda 4g300
Vendors & Products Tenda 4g300

Thu, 30 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01. This impacts the function sub_425A28 of the file /goform/DelFil. The manipulation of the argument delflag results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
Title Tenda 4G300 DelFil sub_425A28 command injection
First Time appeared Tenda
Tenda 4g300 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:tenda:4g300_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda 4g300 Firmware
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Tenda 4g300 4g300 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T13:44:18.276Z

Reserved: 2026-04-29T19:21:10.675Z

Link: CVE-2026-7469

cve-icon Vulnrichment

Updated: 2026-04-30T13:44:03.176Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T02:16:06.967

Modified: 2026-06-17T11:02:28.593

Link: CVE-2026-7469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')