CVE-2026-7119

HighPublic PoC

Published: 27 April 2026

Published

27 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0097 76.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in Tenda HG3 2.0. The impacted element is an unknown function of the file /boaform/formCountrystr. The manipulation of the argument countrystr results in os command injection. The attack may be performed from remote. The exploit is…

now public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires information input validation at system entry points, directly preventing OS command injection through manipulation of the countrystr argument in /boaform/formCountrystr.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and timely correction of system flaws, enabling patching or mitigation of this specific command injection vulnerability in Tenda HG3 firmware.

SC-7 Boundary Protection partial match

prevent

SC-7 provides boundary protection mechanisms to monitor and control communications at the router's external interface, restricting remote exploitation of the publicly available command injection vulnerability.

Security SummaryAI

CVE-2026-7119 is an OS command injection vulnerability (CWE-77, CWE-78) in Tenda HG3 2.0 router firmware, published on 2026-04-27. The issue resides in an unknown function within the /boaform/formCountrystr file, where manipulation of the countrystr argument enables arbitrary OS command execution.

Attackers can exploit this remotely over the network with low complexity and low privileges required (PR:L), without user interaction. Successful exploitation yields high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 8.8; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), allowing injected commands to potentially compromise the device fully.

Advisories from VulDB (https://vuldb.com/vuln/359719) and related CTI (https://vuldb.com/vuln/359719/cti) document the vulnerability, with additional details on a Notion page (https://www.notion.so/Tenda-HG3-1-33d0c75766a8808d8b38e9d090cec7ab) and Tenda's site (https://www.tenda.com.cn/). The exploit is public and available for use.

Security practitioners should monitor for real-world exploitation, as the public exploit increases risk to exposed Tenda HG3 2.0 devices.

Details

CWE(s): CWE-77 CWE-78

Affected Products

tenda

hg3 firmware

300003070

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of a public-facing router web interface (T1190) for arbitrary OS command injection, facilitating Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://vuldb.com/submit/800859
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359719
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/359719/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.notion.so/Tenda-HG3-1-33d0c75766a8808d8b38e9d090cec7ab
Exploit, Third Party Advisory · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com