CVE-2026-25857

HIGH

Tenda G300-F <16.01.14.2 - Command Injection

Title source: llm

Description

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25857

View Code ZIP pw:eip

nomisec WORKING POC

by eeeeeeeeeevan · poc

https://github.com/eeeeeeeeeevan/CVE-2026-25857

View Code ZIP pw:eip

References (3)

[Various Sources] https://blog.evan.lat/blog/cve-2026-25857/

[Various Sources] https://www.tendacn.com/material/show/736333682028613

[Third Party Advisory] https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag

Scores

CVSS v3 8.8

EPSS 0.0034

EPSS Percentile 56.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

tenda/g300-f_firmware < 16.01.14.2

Published Feb 07, 2026

Tracked Since Feb 18, 2026