Cyber Resilience

CVE-2026-1689

MediumPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0372 88.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1689 is a medium-severity Injection (CWE-74) vulnerability in Tenda Hg10 Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability has been identified in the Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon firmware. It resides in the checkUserFromLanOrWan function within the /boaform/admin/formLogin file of the Login Interface component. The flaw allows command injection through manipulation of the Host argument and is tracked under CWE-74 and CWE-77.

The issue can be exploited remotely by an unauthenticated attacker who supplies a crafted Host value to the login endpoint. Successful exploitation grants the ability to execute arbitrary commands on the device. Public proof-of-concept code demonstrating the attack has been released.

The EPSS score for this CVE has remained low, moving only from 0.0483 to a peak of 0.0536. Available references consist of technical write-ups and exploit repositories on GitHub and VulDB, with no vendor advisory or patch information provided.

EU & UK References

Vulnerability details

A vulnerability was detected in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. The impacted element is the function checkUserFromLanOrWan of the file /boaform/admin/formLogin of the component Login Interface. The manipulation of the argument Host results in command injection. The attack can be launched remotely.…

more

The exploit is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Direct command injection in unauthenticated web login interface of network device enables remote exploitation of public-facing app (T1190) and arbitrary command execution via network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1687Same product: Tenda Hg10
CVE-2026-6988Same product: Tenda Hg10
CVE-2026-6989Same vendor: Tenda
CVE-2026-1638Same vendor: Tenda
CVE-2026-0581Same vendor: Tenda
CVE-2026-5153Same vendor: Tenda
CVE-2025-25632Same vendor: Tenda
CVE-2025-9090Same vendor: Tenda
CVE-2026-38835Same vendor: Tenda
CVE-2026-31255Same vendor: Tenda

Affected Assets

tenda
hg10 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses command injection by requiring validation of untrusted inputs like the manipulated Host argument in the login interface.

prevent

SI-2 requires timely identification, reporting, and remediation of flaws such as this command injection vulnerability through firmware patching.

prevent

SC-7 enforces boundary protection to monitor and control remote network traffic targeting the vulnerable login endpoint, reducing exploit opportunities.

References