CVE-2026-25857

Name of the Vulnerable Software and Affected Versions Tenda G300-F router firmware versions prior to 16.01.14.2

Description The Tenda G300-F router firmware contains an OS command injection issue in the WAN diagnostic functionality, specifically within the formSetWanDiag function. The software constructs a shell command using curl and incorporates attacker-controlled input without proper sanitization. This allows a remote attacker with access to the management interface to inject shell syntax and execute arbitrary commands on the device with the privileges of the management process. The vulnerable functionality is related to the WAN diagnostic feature.

Recommendations Update to a firmware version later than 16.01.14.2.