CVE-2026-38835
Published: 21 April 2026
Description
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates input validation mechanisms at vulnerable entry points like the usbPartitionName parameter to block command injection exploits.
Requires identification, reporting, and correction of flaws such as CVE-2026-38835 through timely patching of the affected firmware.
Enforces access authorizations to restrict unauthenticated remote access to the vulnerable formSetUSBPartitionUmount function.
Security SummaryAI
CVE-2026-38835 is a command injection vulnerability in the Tenda W30E V2.0 router running firmware version V16.01.0.21. The flaw exists in the formSetUSBPartitionUmount function, where the usbPartitionName parameter is vulnerable to improper input sanitization, enabling attackers to inject and execute arbitrary commands through a specially crafted request. This issue corresponds to CWE-77 and was published on 2026-04-21.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Unauthenticated attackers can exploit it remotely over the network with low attack complexity and no user interaction, achieving arbitrary command execution on the affected device. This grants high-impact access to compromise confidentiality, integrity, and availability.
References for further details include https://github.com/jsjbcyber/repo/blob/main/rep_2.md.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection via unsanitized web parameter on public-facing router enables exploitation of public-facing application (T1190) and network device CLI command execution (T1059.008).