CVE-2026-25857

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.evan.lat/blog/cve-2026-25857/	Exploit Third Party Advisory
https://www.tendacn.com/material/show/736333682028613	Product
https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tenda:g300-f_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:tenda:g300-f:1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-07 22:16

Updated : 2026-03-05 20:33

NVD link : CVE-2026-25857

Mitre link : CVE-2026-25857

CVE.ORG link : CVE-2026-25857

JSON object : View

Products Affected

tenda

g300-f_firmware
g300-f

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-25857", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-07T22:16:02.607", "references": [{"url": "https://blog.evan.lat/blog/cve-2026-25857/", "tags": ["Exploit", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.tendacn.com/material/show/736333682028613", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag", "tags": ["Third Party Advisory", "VDB Entry"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process."}, {"lang": "es", "value": "El firmware del router Tenda G300-F, versi\u00f3n 16.01.14.2 y anteriores, contiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en la funcionalidad de diagn\u00f3stico WAN (formSetWanDiag). La implementaci\u00f3n construye un comando de shell que invoca curl e incorpora entrada controlada por el atacante en la l\u00ednea de comandos sin una neutralizaci\u00f3n adecuada. Como resultado, un atacante remoto con acceso a la interfaz de gesti\u00f3n afectada puede inyectar sintaxis de shell adicional y ejecutar comandos arbitrarios en el dispositivo con los privilegios del proceso de gesti\u00f3n."}], "lastModified": "2026-03-05T20:33:27.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tenda:g300-f_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22CFA7F2-88E4-44CA-91E8-08D83669B62A", "versionEndIncluding": "16.01.14.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tenda:g300-f:1.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C55B27E2-33B6-4131-A7C7-DF952D0F05B3"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "disclosure@vulncheck.com"}