Description
A security flaw has been discovered in Tenda HG3 2.0 300003070. This vulnerability affects the function formgponConf of the file /boaform/admin/formgponConf. The manipulation of the argument fmgpon_loid results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-359671 | Tenda HG3 formgponConf os command injection
https://vuldb.com/vuln/359671
Signature, Permissions Required signature
permissions-required
VDB-359671 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/359671/cti
Third Party Advisory third-party-advisory
Submit #800796 | Tenda HG3 N300 Wi-Fi xPON ONT HARD_VERSION=V2.0 , Version: 300003070 Remote code execution
https://vuldb.com/submit/800796
Exploit exploit
https://www.notion.so/Tenda-HG3-3250c75766a880c7b50fde0466557c5f
Product product
https://www.tenda.com.cn/
Scores
CVSS v3
8.8
EPSS
0.0408
EPSS Percentile
89.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
CWE-78
Status
published
Products (2)
Tenda/HG3
2.0 300003070
tenda/hg3_firmware
300003070
Published
Apr 27, 2026
Tracked Since
Apr 27, 2026