CVE-2026-1689
Published: 30 January 2026
Summary
CVE-2026-1689 is a medium-severity Injection (CWE-74) vulnerability in Tenda Hg10 Firmware. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability has been identified in the Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon firmware. It resides in the checkUserFromLanOrWan function within the /boaform/admin/formLogin file of the Login Interface component. The flaw allows command injection through manipulation of the Host argument and is tracked under CWE-74 and CWE-77.
The issue can be exploited remotely by an unauthenticated attacker who supplies a crafted Host value to the login endpoint. Successful exploitation grants the ability to execute arbitrary commands on the device. Public proof-of-concept code demonstrating the attack has been released.
The EPSS score for this CVE has remained low, moving only from 0.0483 to a peak of 0.0536. Available references consist of technical write-ups and exploit repositories on GitHub and VulDB, with no vendor advisory or patch information provided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5020
Vulnerability details
A vulnerability was detected in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. The impacted element is the function checkUserFromLanOrWan of the file /boaform/admin/formLogin of the component Login Interface. The manipulation of the argument Host results in command injection. The attack can be launched remotely.…
more
The exploit is now public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct command injection in unauthenticated web login interface of network device enables remote exploitation of public-facing app (T1190) and arbitrary command execution via network device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses command injection by requiring validation of untrusted inputs like the manipulated Host argument in the login interface.
SI-2 requires timely identification, reporting, and remediation of flaws such as this command injection vulnerability through firmware patching.
SC-7 enforces boundary protection to monitor and control remote network traffic targeting the vulnerable login endpoint, reducing exploit opportunities.