← Zuruck zu CVEs
CVE-2026-25857
HIGH8.8
Beschreibung
Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.
CVE Details
CVSS v3.1 Bewertung8.8
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht2/7/2026
Zuletzt geandert3/5/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
tenda:g300-ftenda:g300-f_firmware
Schwachen (CWE)
CWE-78
Referenzen
https://blog.evan.lat/blog/cve-2026-25857/(disclosure@vulncheck.com)
https://www.tendacn.com/material/show/736333682028613(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag(disclosure@vulncheck.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.