CVE-2026-25857

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Tenda G300-F router firmware versions prior to 16.01.14.2

Description The Tenda G300-F router firmware contains an OS command injection issue in the WAN diagnostic functionality, specifically within the formSetWanDiag function. The software constructs a shell command using curl and incorporates attacker-controlled input without proper sanitization. This allows a remote attacker with access to the management interface to inject shell syntax and execute arbitrary commands on the device with the privileges of the management process. The vulnerable functionality is related to the WAN diagnostic feature.

Recommendations Update to a firmware version later than 16.01.14.2.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2026-01506

CVE-2026-25857

Affected Products

Tenda G300-F

CVE-2026-25857

Weakness Enumeration

Related Identifiers

Affected Products

References · 9