CVE-2026-1689
Published: 30 January 2026
Summary
CVE-2026-1689 is a high-severity Injection (CWE-74) vulnerability in Tenda Hg10 Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses command injection by requiring validation of untrusted inputs like the manipulated Host argument in the login interface.
SI-2 requires timely identification, reporting, and remediation of flaws such as this command injection vulnerability through firmware patching.
SC-7 enforces boundary protection to monitor and control remote network traffic targeting the vulnerable login endpoint, reducing exploit opportunities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct command injection in unauthenticated web login interface of network device enables remote exploitation of public-facing app (T1190) and arbitrary command execution via network device CLI (T1059.008).
NVD Description
A vulnerability was detected in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. The impacted element is the function checkUserFromLanOrWan of the file /boaform/admin/formLogin of the component Login Interface. The manipulation of the argument Host results in command injection. The attack can be launched remotely.…
more
The exploit is now public and may be used.
Deeper analysisAI
CVE-2026-1689 is a command injection vulnerability affecting Tenda HG10 routers running firmware version US_HG7_HG9_HG10re_300001138_en_xpon. The flaw resides in the checkUserFromLanOrWan function within the /boaform/admin/formLogin file of the Login Interface component. Attackers can exploit it by manipulating the Host argument to inject arbitrary commands.
The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), making it remotely exploitable over the network by unauthenticated attackers with low attack complexity and no user interaction. Exploitation enables limited impacts on confidentiality, integrity, and availability, associated with CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection). A public exploit is available.
VulDB advisories (ctiid.343483, id.343483) and GitHub proof-of-concept details document the issue, including manipulation steps for the Host argument. No specific patches or mitigations are detailed in the available references.
Details
- CWE(s)