← Back
2026-02-07 21:41CVE-2026-25857VulnCheck
PUBLISHED5.2CWE-78

Tenda G300-F Command Injection via formSetWanDiag

Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Problem type

Affected products

Shenzhen Tenda Technology

Tenda G300-F

<= 16.01.14.2 - AFFECTED

References

blog.evan.lat

https://blog.evan.lat/blog/cve-2026-25857/

technical-descriptionexploit
tendacn.com

https://www.tendacn.com/material/show/736333682028613

product
vulncheck.com

https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag

third-party-advisory

GitHub Security Advisories

GHSA-m35g-p77j-hqrh

Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection...

https://github.com/advisories/GHSA-m35g-p77j-hqrh

Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-25857

blog.evan.lat

https://blog.evan.lat/blog/cve-2026-25857

tendacn.com

https://www.tendacn.com/material/show/736333682028613

vulncheck.com

https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag

github.com

https://github.com/advisories/GHSA-m35g-p77j-hqrh

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-25857
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-25857",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-02-07T21:41:41.340Z",
    "dateReserved": "2026-02-06T19:12:03.462Z",
    "datePublished": "2026-02-07T21:41:41.340Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-02-07T21:41:41.340Z"
      },
      "title": "Tenda G300-F Command Injection via formSetWanDiag",
      "descriptions": [
        {
          "lang": "en",
          "value": "Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process."
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Shenzhen Tenda Technology",
          "product": "Tenda G300-F",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "16.01.14.2"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
              "cweId": "CWE-78",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://blog.evan.lat/blog/cve-2026-25857/",
          "tags": [
            "technical-description",
            "exploit"
          ]
        },
        {
          "url": "https://www.tendacn.com/material/show/736333682028613",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "evan",
          "type": "finder"
        }
      ]
    }
  }
}