CVE-2026-25857
HIGH WAF: High
CVSS 8.8
Published: 2026-02-07
CWE-78
Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tenda | g300-f_firmware | up to 16.01.14.2 |
References
- blog.evan.lat (Exploit, Third Party Advisory)
- www.tendacn.com (Product)
- www.vulncheck.com (Third Party Advisory, VDB Entry)