CVE-2026-25857

HIGH

Tenda G300-F <16.01.14.2 - Command Injection

Title source: llm

Description

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25857

View Code ZIP pw:eip

nomisec WORKING POC

by eeeeeeeeeevan · poc

https://github.com/eeeeeeeeeevan/CVE-2026-25857

View Code ZIP pw:eip

References (3)

[Various Sources] https://blog.evan.lat/blog/cve-2026-25857/

[Various Sources] https://www.tendacn.com/material/show/736333682028613

[Third Party Advisory] https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag

Scores

CVSS v3 8.8

EPSS 0.0039

EPSS Percentile 59.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (1)

tenda/g300-f_firmware < 16.01.14.2

Timeline

Published Feb 07, 2026

Tracked Since Feb 18, 2026