Cyber Posture

CVE-2026-25857

HighPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 56.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Tenda G300-F router firmware version 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization.…

more

As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of attacker-controlled inputs incorporated into shell commands in formSetWanDiag to prevent OS command injection.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and patching of the specific command injection flaw via firmware updates as recommended in advisories.

SC-7 Boundary Protection partial match
prevent

Monitors and controls network communications to the management interface, blocking unauthorized remote access required to exploit formSetWanDiag.

Security SummaryAI

CVE-2026-25857 is an OS command injection vulnerability (CWE-78) in Tenda G300-F router firmware versions 16.01.14.2 and prior. The issue affects the WAN diagnostic functionality, specifically the formSetWanDiag component, where the implementation constructs a shell command that invokes curl and directly incorporates attacker-controlled input into the command line without adequate neutralization or sanitization.

A remote attacker with access to the affected management interface and low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation enables injection of additional shell syntax, allowing arbitrary command execution on the device with the privileges of the management process. The vulnerability yields high impacts on confidentiality, integrity, and availability, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Advisories and mitigation guidance are provided by Tenda at https://www.tendacn.com/material/show/736333682028613, as well as researchers at https://blog.evan.lat/blog/cve-2026-25857/ and https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag. Security practitioners should review these sources for firmware patches, upgrade instructions, or temporary workarounds such as restricting management interface access.

Details

CWE(s)
CWE-78

Affected Products

tenda
g300-f firmware
≤ 16.01.14.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation of public-facing router web management interface (T1190) via command injection, allowing arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References