Unrated severityNVD Advisory· Published Feb 7, 2026· Updated Mar 5, 2026
Tenda G300-F Command Injection via formSetWanDiag
CVE-2026-25857
Description
Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- blog.evan.lat/blog/cve-2026-25857/mitretechnical-descriptionexploit
- www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiagmitrethird-party-advisory
- www.tendacn.com/material/show/736333682028613mitreproduct
News mentions
0No linked articles in our index yet.