CVE-2026-25857

HIGH

Tenda G300-F <16.01.14.2 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-25857. PoCs published by XiaomingX, eeeeeeeeeevan.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes data extraction logic for WordPress admin credentials and hashes.

Description

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25857

View Code ZIP pw:eip

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes data extraction logic for WordPress admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by eeeeeeeeeevan · poc

https://github.com/eeeeeeeeeevan/CVE-2026-25857

View Code ZIP pw:eip

This exploit targets a command injection vulnerability in a web interface, allowing remote code execution via crafted JSON payloads. It supports reverse shell and file download modes by injecting commands into the 'diagnose' module parameters.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a router or network device with a web interface)

No auth needed

Prerequisites: Network access to the target device · Target device must have the vulnerable endpoint exposed

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources technical-description exploit

https://blog.evan.lat/blog/cve-2026-25857/

Various Sources product

https://www.tendacn.com/material/show/736333682028613

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag

Scores

CVSS v3 8.8

EPSS 0.0282

EPSS Percentile 84.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

Shenzhen Tenda Technology/Tenda G300-F < 16.01.14.2

tenda/g300-f_firmware < 16.01.14.2

Published Feb 07, 2026

Tracked Since Feb 18, 2026